Token-based authentication using Azure Active Directory tokens. This is the most common authentication method for Azure services, providing automatic token refresh, scopes-based access control, and support for advanced features like Continuous Access Evaluation (CAE) and Proof of Possession (PoP) tokens.
The primary interface for token-based authentication in Azure services.
/**
* Represents a credential capable of providing an authentication token.
*/
interface TokenCredential {
/**
* Gets the token provided by this credential.
* This method is called automatically by Azure SDK client libraries.
*
* @param scopes - The list of scopes for which the token will have access
* @param options - The options used to configure any requests this TokenCredential implementation might make
* @returns Promise that resolves to an AccessToken or null if authentication fails
*/
getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken | null>;
}Usage Examples:
import { TokenCredential, AccessToken } from "@azure/core-auth";
// Custom token credential implementation
class MyTokenCredential implements TokenCredential {
async getToken(scopes: string | string[]): Promise<AccessToken | null> {
// Your authentication logic here
const token = await getTokenFromAzureAD(scopes);
return {
token: token.accessToken,
expiresOnTimestamp: token.expiresOn.getTime(),
refreshAfterTimestamp: token.refreshAfter?.getTime(),
tokenType: "Bearer"
};
}
}
// Using with different scope formats
const credential = new MyTokenCredential();
// Single scope
const token1 = await credential.getToken("https://storage.azure.com/.default");
// Multiple scopes
const token2 = await credential.getToken([
"https://graph.microsoft.com/.default",
"https://storage.azure.com/.default"
]);Represents an access token returned by authentication services.
/**
* Represents an access token with an expiration time.
*/
interface AccessToken {
/** The access token returned by the authentication service */
token: string;
/** The access token's expiration timestamp in milliseconds, UNIX epoch time */
expiresOnTimestamp: number;
/** The timestamp when the access token should be refreshed, in milliseconds, UNIX epoch time */
refreshAfterTimestamp?: number;
/** Type of token - 'Bearer' or 'pop' */
tokenType?: "Bearer" | "pop";
}Configuration options for token requests, supporting advanced authentication scenarios.
/**
* Defines options for TokenCredential.getToken.
*/
interface GetTokenOptions {
/** The signal which can be used to abort requests */
abortSignal?: AbortSignalLike;
/** Options used when creating and sending HTTP requests for this operation */
requestOptions?: {
/** The number of milliseconds a request can take before automatically being terminated */
timeout?: number;
};
/** Options used when tracing is enabled */
tracingOptions?: {
/** Tracing Context for the current request */
tracingContext?: TracingContext;
};
/** Claim details to perform the Continuous Access Evaluation authentication flow */
claims?: string;
/** Indicates whether to enable the Continuous Access Evaluation authentication flow */
enableCae?: boolean;
/** Allows specifying a tenantId. Useful to handle challenges that provide tenant Id hints */
tenantId?: string;
/** Options for Proof of Possession token requests */
proofOfPossessionOptions?: {
/** The nonce value required for PoP token requests.
* This is typically retrieved from the WWW-Authenticate header of a 401 challenge response. */
nonce: string;
/** The HTTP method of the request */
resourceRequestMethod: HttpMethods;
/** The URL of the request */
resourceRequestUrl: string;
};
}Usage Examples:
import { TokenCredential, GetTokenOptions } from "@azure/core-auth";
const credential: TokenCredential = /* your credential */;
// Basic token request
const basicToken = await credential.getToken("https://storage.azure.com/.default");
// Token request with timeout
const tokenWithTimeout = await credential.getToken(
"https://storage.azure.com/.default",
{
requestOptions: { timeout: 30000 } // 30 seconds
}
);
// Token request with CAE enabled
const caeToken = await credential.getToken(
"https://graph.microsoft.com/.default",
{
enableCae: true,
claims: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs..."
}
);
// Token request for specific tenant
const tenantToken = await credential.getToken(
"https://storage.azure.com/.default",
{
tenantId: "your-tenant-id"
}
);
// Proof of Possession (PoP) token request
const popToken = await credential.getToken(
"https://storage.azure.com/.default",
{
proofOfPossessionOptions: {
nonce: "nonce-from-challenge",
resourceRequestMethod: "GET",
resourceRequestUrl: "https://mystorageaccount.blob.core.windows.net/container/blob"
}
}
);Runtime validation to determine if an object implements the TokenCredential interface.
/**
* Tests an object to determine whether it implements TokenCredential.
* @param credential - The assumed TokenCredential to be tested
* @returns true if the object implements TokenCredential, false otherwise
*/
function isTokenCredential(credential: unknown): credential is TokenCredential;Usage Examples:
import { isTokenCredential } from "@azure/core-auth";
function authenticateWithCredential(credential: unknown) {
if (isTokenCredential(credential)) {
// TypeScript now knows credential is TokenCredential
return credential.getToken("https://storage.azure.com/.default");
}
throw new Error("Invalid credential provided");
}
// Usage in credential detection
const credentials = [keyCredential, tokenCredential, sasCredential];
const tokenCredentials = credentials.filter(isTokenCredential);
// tokenCredentials array now contains only TokenCredential instances