Reference

session = AzSession([; kwargs...])

Create an Azure session for authentication using a specific authentication protocol. The available protocols and their kwargs are as follows.

Authorization code flow

session = AzSession(;
    protocol = _manifest["protocol"] | AzDeviceCodeFlowCredentials,
    client_id = AzSessions._manifest["client_id"],
    redirect_uri = "http://localhost:44300/reply",
    scope = "openid+offline_access+https://storage.azure.com/user_impersonation",
    scope_auth = "openid+offline_access+https://management.azure.com/user_impersonation+https://storage.azure.com/user_impersonation",
    tenant = AzSessions._manifest["tenant"],
    lazy = false,
    clearcache = false)

Device code flow

session = AzSession(;
    protocol = AzDeviceCodeCredentials
    client_id = AzSessions._manifest["client_id"],
    scope = "openid+offline_access+https://management.azure.com/user_impersonation",
    scope_auth = "openid+offline_access+https://management.azure.com/user_impersonation+https://storage.azure.com/user_impersonation",
    tenant = AzSessions._manifest["tenant"],
    clearcache = false)

Client Credentials

session = AzSession(;
    protocol = AzClientCredentials,
    tenant=AzSessions._manifest["tenant"],
    client_id=AzSessions._manifest["client_id"],
    client_secret=AzSessions._manifest["client_secret"],
    resource="https://management.azure.com/",
    clearcache = false)

VM Credentials

session = AzSession(;
    protocol = AzVMCredentials,
    resource = "https://management.azure.com/",
    clearcache = false)

New audience

Create a session from an existing auth code flow session or device code flow session, but with a new scope. This means that we can get a session with a new audience without requiring re-authentication. Note that the new scope must be in session.scope_auth.

session = AzSession(;
    protocol=AzAuthCodeFlowCredentials,
    scope_auth="openid+offline_access+https://management.azure.com/user_impersonation+https://storage.azure.com/user_impersonation",
    scope="openid+offline_access+https://management.azure.com/user_impersonation")

t = token(session) # token for `https://management.azure.com` audience
session = AzSession(session; scope="openid+offline_access+https://storage.azure.com/user_impersonation")
t = token(session) # token for `https://storage.azure.com` audience without needing to re-authenticate

Notes

• If lazy=false, then authenticate at the time of construction. Otherwise, wait until the first use of the session before authenticating.
• If clearcache=false, then check the session-cache for an existing token rather than re-authenticating. The cache is stored in a JSON file (~/.azsessions/sessions.json).
• The default protocol can be set in the manifest (see the AzSessions.write_manifest method for more information).

token(session[; offset=Second(rand(300:600))])

Return the OAuth2 token associate with session. The offset ensures that the token is valid for at least offset time. The default offset is randomized between 5 and 15 minutes. We randomize the offset to avoid calling the Azure authentication end-point at the same time from many VMs operating in parallel.

scrub!(session)

Remove sensitive information from session (e.g. token, client secret)

AzSessions.write_manifest(;client_id="", client_secret="", tenant="", protocol="")

Write an AzSessions manifest file (~/.azsessions/manifest.json). The manifest file contains account specific credentials.

Notes

client secret

The client can be configured such that the client_secret is not required for the authorization-code-flow and device-code-flow. In this scenario, one may choose to omit setting the client_secret in the manifest. For example:

AzSessions.write_manifest(;client_id="myclientid", tenant="mytenant")

protocol

The protocol is one of "AzAuthCodeFlowCredentials", "AzDeviceCodeFlowCredentials", "AzClientCredentials" and "AzVMCredentials". If the default protocol="" is chosen for the manifest, then AzSession() will default to AzDeviceCodeFlowCredentials. The protocol in the manifest can always be over-ridden using the protocol argument to AzSession.