User authentication samples

sdk/identity/azure-identity/MANIFEST.in

@@ -1,3 +1,4 @@
+recursive-include samples *.py
 recursive-include tests *.py
 include *.md
-include azure/__init__.py
+include azure/__init__.py

sdk/identity/azure-identity/samples/README.md

@@ -0,0 +1,18 @@
+---
+page_type: sample
+languages:
+  - python
+products:
+  - azure
+  - azure-identity
+urlFragment: identity-samples
+---
+
+# Azure Identity Client Library Python Samples
+
+* [user_authentication.py](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/identity/azure-identity/samples/user_authentication.py) -
+ demonstrates user authentication API for applications
+
+ * [control_interactive_prompts.py](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/identity/azure-identity/samples/control_interactive_prompts.py) -
+ demonstrates controlling when interactive credentials such as
+ `InteractiveBrowserCredential` prompt for user interaction

sdk/identity/azure-identity/samples/control_interactive_prompts.py

@@ -0,0 +1,38 @@
+# ------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# ------------------------------------
+"""Demonstrates controlling the timing of interactive authentication using InteractiveBrowserCredential.
+
+DeviceCodeCredential supports the same API.
+"""
+
+import os
+import sys
+from azure.identity import AuthenticationRequiredError, InteractiveBrowserCredential
+from azure.keyvault.secrets import SecretClient
+
+
+# This sample uses Key Vault only for demonstration. Any client accepting azure-identity credentials will work the same.
+VAULT_URL = os.environ.get("VAULT_URL")
+if not VAULT_URL:
+    print("This sample expects environment variable 'VAULT_URL' to be set with the URL of a Key Vault.")
+    sys.exit(1)
+
+
+# If it's important for your application to prompt for authentication only at certain times,
+# create the credential with disable_automatic_authentication=True. This configures the credential to raise
+# when interactive authentication is required, instead of immediately beginning that authentication.
+credential = InteractiveBrowserCredential(disable_automatic_authentication=True)
+client = SecretClient(VAULT_URL, credential)
+
+try:
+    secret_names = [s.name for s in client.list_properties_of_secrets()]
+except AuthenticationRequiredError as ex:
+    # Interactive authentication is necessary to authorize the client's request. The exception carries the
+    # requested authentication scopes. If you pass these to 'authenticate', it will cache an access token
+    # for those scopes.
+    credential.authenticate(scopes=ex.scopes)
+
+# the client operation should now succeed
+secret_names = [s.name for s in client.list_properties_of_secrets()]

sdk/identity/azure-identity/samples/user_authentication.py

@@ -0,0 +1,43 @@
+# ------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# ------------------------------------
+"""Demonstrates user authentication using InteractiveBrowserCredential. DeviceCodeCredential supports the same API."""
+
+import os
+import sys
+from azure.identity import AuthenticationRecord, InteractiveBrowserCredential
+from azure.keyvault.secrets import SecretClient
+
+
+# This sample uses Key Vault only for demonstration. Any client accepting azure-identity credentials will work the same.
+VAULT_URL = os.environ.get("VAULT_URL")
+if not VAULT_URL:
+    print("This sample expects environment variable 'VAULT_URL' to be set with the URL of a Key Vault.")
+    sys.exit(1)
+
+
+# Persistent caching is optional. By default, interactive credentials cache in memory only.
+credential = InteractiveBrowserCredential(enable_persistent_cache=True)
+
+# The 'authenticate' method begins interactive authentication. Call it whenever it's convenient
+# for your application to authenticate a user. It returns a record of the authentication.
+record = credential.authenticate()
+
+# The record contains no authentication secrets. You can serialize it to JSON for storage.
+record_json = record.serialize()
+
+# An authenticated credential is ready for use with a client. This request should succeed
+# without prompting for authentication again.
+client = SecretClient(VAULT_URL, credential)
+secret_names = [s.name for s in client.list_properties_of_secrets()]
+
+# With persistent caching enabled, an authentication record stored by your application enables
+# credentials to access data from past authentications. If the cache contains sufficient data,
+# this eliminates the need for your application to prompt for authentication every time it runs.
+deserialized_record = AuthenticationRecord.deserialize(record_json)
+new_credential = InteractiveBrowserCredential(enable_persistent_cache=True, authentication_record=deserialized_record)
+
+# This request should also succeed without prompting for authentication.
+client = SecretClient(VAULT_URL, new_credential)
+secret_names = [s.name for s in client.list_properties_of_secrets()]