Provides Azure Active Directory (AAD) authentication functionality for R users of Microsoft's 'Azure' cloud < https://azure.microsoft.com/>. Use this package to obtain 'OAuth' 2.0 tokens for services including Azure Resource Manager, Azure Storage and others. It supports both AAD v1.0 and v2.0, as well as multiple authentication methods, including device code and resource owner grant. Tokens are cached in a user-specific directory obtained using the 'rappdirs' package. The interface is based on the 'OAuth' framework in the 'httr' package, but customised and streamlined for Azure. Part of the 'AzureR' family of packages.
AzureAuth provides Azure Active Directory (AAD) authentication functionality for R users of Microsoft's Azure cloud. Use this package to obtain OAuth 2.0 tokens for Azure services including Azure Resource Manager, Azure Storage and others. Both AAD v1.0 and v2.0 are supported.
You can install the development version of the package from GitHub, with
The main function in AzureAuth is
get_azure_token, which obtains an OAuth token from AAD. The token is cached in a user-specific directory using the rappdirs package, and future requests will use the cached token without needing you to reauthenticate.
For reasons of CRAN policy, AzureAuth will ask you for permission to create this directory. Unless you have a specific reason otherwise, it's recommended that you allow the directory to be created. Note that most other cloud engineering tools save credentials in this way, including Docker, Kubernetes, and the Azure CLI itself.
library(AzureAuth)token <- get_azure_token(resource="myresource", tenant="mytenant", app="app_id", ...)
Other supplied functions include
clean_token_directory, to let you manage the token cache.
AzureAuth supports the following methods for authenticating with AAD: authorization_code, device_code, client_credentials, resource_owner and on_behalf_of.
get_azure_tokenopens a login window in your browser, where you can enter your AAD credentials. In the background, it loads the httpuv package to listen on a local port. Once you have logged in, the AAD server redirects your browser to a local URL that contains an authorization code.
get_azure_tokenretrieves this authorization code and sends it to the AAD access endpoint, which returns the OAuth token.
# obtain a token using authorization_code# no user credentials neededget_azure_token("myresource", "mytenant", "app_id", auth_type="authorization_code")
get_azure_tokencontacts the AAD devicecode endpoint, which responds with a login URL and an access code. You then visit the URL and enter the code, possibly using a different computer. Meanwhile,
get_azure_tokenpolls the AAD access endpoint for a token, which is provided once you have entered the code.
# obtain a token using device_code# no user credentials neededget_azure_token("myresource", "mytenant", "app_id", auth_type="device_code")
get_azure_tokencontacts the access endpoint, passing it the credentials. This can be either a client secret or a certificate, which you supply in the
certificateargument respectively. Once the credentials are verified, the endpoint returns the token.
# obtain a token using client_credentials# supply credentials in password argget_azure_token("myresource", "mytenant", "app_id",password="client_secret", auth_type="client_credentials")# can also supply a client certificate as a PEM/PFX file...get_azure_token("myresource", "mytenant", "app_id",certificate="mycert.pem", auth_type="client_credentials")# ... or as an object in Azure Key Vaultcert <- AzureKeyVault::key_vault("myvault")$certificates$get("mycert")get_azure_token("myresource", "mytenant", "app_id",certificate=cert, auth_type="client_credentials")
get_azure_tokenpasses your (personal) username and password to the AAD access endpoint, which validates your credentials and returns the token.
# obtain a token using resource_owner# supply credentials in username and password argsget_azure_token("myresource", "mytenant", "app_id",username="myusername", password="mypassword", auth_type="resource_owner")
# obtaining multiple tokens: authenticate (interactively) once...tok0 <- get_azure_token("serviceapp_id", "mytenant", "clientapp_id", auth_type="authorization_code")# ...then get tokens for each resource with on_behalf_oftok1 <- get_azure_token("resource1", "mytenant," "serviceapp_id",password="serviceapp_secret", auth_type="on_behalf_of", on_behalf_of=tok0)tok2 <- get_azure_token("resource2", "mytenant," "serviceapp_id",password="serviceapp_secret", auth_type="on_behalf_of", on_behalf_of=tok0)
If you don't specify the method,
get_azure_token makes a best guess based on the presence or absence of the other authentication arguments, and whether httpuv is installed.
# this will default to authorization_code if httpuv is installed, and device_code if notget_azure_token("myresource", "mytenant", "app_id")# this will use on_behalf_of methodget_azure_token("myresource", "mytenant", "app_id",password="client_secret", on_behalf_of=token)
The AzureAuth interface is based on the OAuth framework in the httr package, customised and streamlined for Azure. It is an independent implementation of OAuth, but benefited greatly from the work done by Hadley Wickham and the rest of the httr development team.
certificateargument, specify either the name of a PEM/PFX file, or an AzureKeyVault object representing a cert.
aad_hostargument, for Azure B2C logins. Note that B2C requires https redirect URIs, which are not currently supported by httpuv; rather than the authorization_code flow, use device_code or client_credentials.
token_argsargument from being passed to the token endpoint.
authorization_codeflow, print the AAD error message, if possible.
decode_jwt, a utility function to view the token data.