# NOT RUN {
# authenticate with Azure Resource Manager:
# no user credentials are supplied, so this will use the authorization_code
# method if httpuv is installed, and device_code if not
get_azure_token("https://management.azure.com/", tenant="mytenant", app="app_id")
# you can force a specific authentication method with the auth_type argument
get_azure_token("https://management.azure.com/", tenant="mytenant", app="app_id",
auth_type="device_code")
# to default to the client_credentials method, supply the app secret as the password
get_azure_token("https://management.azure.com/", tenant="mytenant", app="app_id",
password="app_secret")
# authenticate to your resource with the resource_owner method: provide your username and password
get_azure_token("https://myresource/", tenant="mytenant", app="app_id",
username="user", password="abcdefg")
# obtaining multiple tokens: authenticate (interactively) once...
tok0 <- get_azure_token("serviceapp_id", tenant="mytenant", app="clientapp_id",
auth_type="authorization_code")
# ...then get tokens for each resource (Resource Manager and MS Graph) with on_behalf_of
tok1 <- get_azure_token("https://management.azure.com/", tenant="mytenant", app="serviceapp_id",
password="serviceapp_secret", on_behalf_of=tok0)
tok2 <- get_azure_token("https://graph.microsoft.com/", tenant="mytenant", app="serviceapp_id",
password="serviceapp_secret", on_behalf_of=tok0)
# authorization_code flow with app registered in AAD as a web rather than a native client:
# supply the client secret in the password arg
get_azure_token("https://management.azure.com/", "mytenant", "app_id",
password="app_secret", auth_type="authorization_code")
# use a different redirect URI to the default localhost:1410
get_azure_token("https://management.azure.com/", tenant="mytenant", app="app_id",
authorize_args=list(redirect_uri="http://localhost:8000"))
# request an AAD v1.0 token for Resource Manager (the default)
token1 <- get_azure_token("https://management.azure.com/", "mytenant", "app_id")
# same request to AAD v2.0, along with a refresh token
token2 <- get_azure_token(c("https://management.azure.com/.default", "offline_access"),
"mytenant", "app_id", version=2)
# requesting multiple scopes (Microsoft Graph) with AAD 2.0
get_azure_token(c("https://graph.microsoft.com/User.Read.All",
"https://graph.microsoft.com/User.ReadWrite.All",
"https://graph.microsoft.com/Directory.ReadWrite.All",
"offline_access"),
"mytenant", "app_id", version=2)
# list saved tokens
list_azure_tokens()
# delete a saved token from disk
delete_azure_token(resource="https://myresource/", tenant="mytenant", app="app_id",
username="user", password="abcdefg")
# delete a saved token by specifying its MD5 hash
delete_azure_token(hash="7ea491716e5b10a77a673106f3f53bfd")
# authenticating for B2C logins (custom AAD host)
get_azure_token("https://mydomain.com", "mytenant", "app_id", "password",
aad_host="https://mytenant.b2clogin.com/tfp/mytenant.onmicrosoft.com/custom/oauth2")
# authenticating with a certificate
get_azure_token("https://management.azure.com/", "mytenant", "app_id",
certificate="mycert.pem")
# authenticating with a certificate stored in Azure Key Vault
cert <- AzureKeyVault::key_vault("myvault")$certificates$get("mycert")
get_azure_token("https://management.azure.com/", "mytenant", "app_id",
certificate=cert)
# get a token valid for 2 hours (default is 1 hour)
get_azure_token("https://management.azure.com/", "mytenant", "app_id",
certificate=cert_assertion("mycert.pem", duration=2*3600))
# ID token with AAD v1.0
# if you only want an ID token, set the resource to blank ("")
tok <- get_azure_token("", "mytenant", "app_id", use_cache=FALSE)
extract_jwt(tok, "id")
# ID token with AAD v2.0 (recommended)
tok2 <- get_azure_token(c("openid", "offline_access"), "mytenant", "app_id", version=2)
extract_jwt(tok2, "id")
# get a token from within a managed identity (VM, container or service)
get_managed_token("https://management.azure.com/")
# get a token from a managed identity, with a user-defined identity:
# specify one of the identity's object_id, client_id and mi_res_id (Azure resource ID)
# you can get these values via the Azure Portal or Azure CLI
get_managed_token("https://management.azure.com/", token_args=list(
mi_res_id="/subscriptions/zzzz-zzzz/resourceGroups/resgroupname/..."
))
# use a refresh token from one resource to get an access token for another resource
tok <- get_azure_token("https://myresource", "mytenant", "app_id")
tok2 <- tok$clone()
tok2$resource <- "https://anotherresource"
tok2$refresh()
# same for AAD v2.0
tok <- get_azure_token(c("https://myresource/.default", "offline_access"),
"mytenant", "app_id", version=2)
tok2 <- tok$clone()
tok2$scope <- c("https://anotherresource/.default", "offline_access")
tok2$refresh()
# manually adding auth header for a HTTP request
tok <- get_azure_token("https://myresource", "mytenant", "app_id")
header <- httr::add_headers(Authorization=paste("Bearer", tok$credentials$access_token))
httr::GET("https://myresource/path/for/call", header, ...)
# }
Run the code above in your browser using DataLab