| Title: | Credential Chain for Seamless 'OAuth 2.0' Authentication to 'Azure Services' |
|---|---|
| Description: | Implements a credential chain for 'Azure OAuth 2.0' authentication based on the package 'httr2''s 'OAuth' framework. Sequentially attempts authentication methods until one succeeds. During development allows interactive browser-based flows ('Device Code' and 'Auth Code' flows) and non-interactive flow ('Client Secret') in batch mode. |
| Authors: | Pedro Baltazar [aut, cre] |
| Maintainer: | Pedro Baltazar <[email protected]> |
| License: | MIT + file LICENSE |
| Version: | 0.3.4 |
| Built: | 2026-05-14 12:28:45 UTC |
| Source: | https://github.com/pedrobtz/azr |
An R6 class that provides a base HTTP client for interacting with Azure APIs. This client handles authentication, request building, retry logic, logging, and error handling for Azure API requests.
The api_client class is designed to be a base class for Azure service-specific
clients. It provides:
Automatic authentication using Azure credentials
Configurable retry logic with exponential backoff
Request and response logging
JSON, XML, and HTML content type handling
Standardized error handling
.host_urlBase URL for the API
.base_reqBase httr2 request object
.providerCredential provider R6 object
.credentialsCredentials function for authentication
.optionsRequest options (timeout, connecttimeout, max_tries)
.response_handlerOptional callback function to process response content
new()
Create a new API client instance
api_client$new( host_url, provider = NULL, credentials = NULL, timeout = 60L, connecttimeout = 30L, max_tries = 5L, response_handler = NULL )
host_urlA character string specifying the base URL for the API
(e.g., "https://management.azure.com").
providerAn R6 credential provider object that inherits from the
Credential or DefaultCredential class. If provided, the credential's
req_auth method will be used for authentication. Takes precedence over
credentials.
credentialsA function that adds authentication to requests. If
both provider and credentials are NULL, uses default_non_auth().
The function should accept an httr2 request object and return a modified
request with authentication.
timeoutAn integer specifying the request timeout in seconds.
Defaults to 60.
connecttimeoutAn integer specifying the connection timeout in
seconds. Defaults to 30.
max_triesAn integer specifying the maximum number of retry
attempts for failed requests. Defaults to 5.
response_handlerAn optional function to process the parsed response
content. The function should accept one argument (the parsed response) and
return the processed content. If NULL, uses default_response_handler()
which converts data frames to data.table objects. Defaults to NULL.
A new api_client object
.fetch()
Make an HTTP request to the API
api_client$.fetch(
path,
...,
query = NULL,
body = NULL,
headers = NULL,
method = "get",
verbosity = 0L,
content = c("body", "headers", "response", "request"),
content_type = NULL
)pathA character string specifying the API endpoint path. Supports
rlang::englue() syntax for variable interpolation using named arguments
passed via ....
...Named arguments used for path interpolation with rlang::englue().
queryA named list of query parameters to append to the URL.
bodyRequest body data. Sent as JSON in the request body. Can be a list or character string (JSON).
headersA named list of additional HTTP headers to include in the request.
methodA character string specifying the HTTP method. One of
"get", "post", "put", "patch", or "delete". Defaults to "get".
verbosityAn integer specifying the verbosity level for request
debugging (passed to httr2::req_perform()). Defaults to 0.
contentA character string specifying what to return. One of:
"body" (default): Return the parsed response body
"headers": Return response headers
"response": Return the full httr2 response object
"request": Return the prepared request object without executing it
content_typeA character string specifying how to parse the response
body. If NULL, uses the response's Content-Type header. Common values:
"application/json", "application/xml", "text/html".
Depends on the content parameter:
"body": Parsed response body (list, data.frame, or character)
"headers": List of response headers
"response": Full httr2::response() object
"request": httr2::request() object
.resp_content()
Extract content from a response object
api_client$.resp_content(resp, content, content_type = NULL)
respAn httr2::response() object
contentA character string specifying what to return. One of:
"body": Return the parsed response body
"headers": Return response headers
"response": Return the full httr2 response object
content_typeA character string specifying how to parse the response
body. Only used when content = "body". If NULL, uses the response's
Content-Type header.
Depends on the content parameter:
"body": Parsed response body (list, data.frame, or character)
"headers": List of response headers
"response": Full httr2::response() object
.build_request()
Build an HTTP request object
api_client$.build_request( path, ..., query = NULL, body = NULL, headers = NULL, method = "get" )
pathA character string specifying the API endpoint path. Supports
rlang::englue() syntax for variable interpolation using named arguments
passed via ....
...Named arguments used for path interpolation with rlang::englue().
queryA named list of query parameters to append to the URL.
bodyRequest body data. Sent as JSON in the request body. Can be a list or character string (JSON).
headersA named list of additional HTTP headers to include in the request.
methodA character string specifying the HTTP method. One of
"get", "post", "put", "patch", or "delete". Defaults to "get".
An httr2::request() object ready for execution
.send_request()
Perform an HTTP request and log the results
api_client$.send_request(req, verbosity)
reqAn httr2::request() object to execute
verbosityAn integer specifying the verbosity level for request
debugging (passed to httr2::req_perform()). Defaults to 0.
An httr2::response() object containing the API response
.resp_body_content()
Extract and parse response content
api_client$.resp_body_content(resp, content_type = NULL)
respAn httr2::response() object
content_typeA character string specifying how to parse the response
body. If NULL, uses the response's Content-Type header. Common values:
"application/json", "application/xml", "text/html".
Parsed response body. Format depends on content type:
JSON: List or data.frame
XML: xml2 document
HTML: xml2 document
Other: Character string
.get_token()
Get authentication token from the credential provider
api_client$.get_token()
An httr2::oauth_token() object if a provider is available,
otherwise returns NULL with a warning.
clone()
The objects of this class are cloneable with this method.
api_client$clone(deep = FALSE)
deepWhether to make a deep clone.
## Not run: # Create a client with default credentials client <- api_client$new( host_url = "https://management.azure.com" ) # Create a client with a credential provider cred_provider <- get_credential_provider( scope = "https://management.azure.com/.default" ) client <- api_client$new( host_url = "https://management.azure.com", provider = cred_provider ) # Create a client with custom credentials function client <- api_client$new( host_url = "https://management.azure.com", credentials = my_credential_function, timeout = 120, max_tries = 3 ) # Create a client with custom response handler custom_handler <- function(content) { # Custom processing logic - e.g., keep data frames as-is content } client <- api_client$new( host_url = "https://management.azure.com", response_handler = custom_handler ) # Make a GET request response <- client$.fetch( path = "/subscriptions/{subscription_id}/resourceGroups", subscription_id = "my-subscription-id", query = list(`api-version` = "2021-04-01"), method = "get" ) ## End(Not run)## Not run: # Create a client with default credentials client <- api_client$new( host_url = "https://management.azure.com" ) # Create a client with a credential provider cred_provider <- get_credential_provider( scope = "https://management.azure.com/.default" ) client <- api_client$new( host_url = "https://management.azure.com", provider = cred_provider ) # Create a client with custom credentials function client <- api_client$new( host_url = "https://management.azure.com", credentials = my_credential_function, timeout = 120, max_tries = 3 ) # Create a client with custom response handler custom_handler <- function(content) { # Custom processing logic - e.g., keep data frames as-is content } client <- api_client$new( host_url = "https://management.azure.com", response_handler = custom_handler ) # Make a GET request response <- client$.fetch( path = "/subscriptions/{subscription_id}/resourceGroups", subscription_id = "my-subscription-id", query = list(`api-version` = "2021-04-01"), method = "get" ) ## End(Not run)
An R6 class that wraps an api_client and adds an additional path segment
(like "beta" or "v1.0") to all requests. This is useful for APIs that version
their endpoints or have different API surfaces under different paths.
The api_resource class creates a modified base request by appending an
endpoint path to the client's base request. All subsequent API calls through
this resource will automatically include this path prefix.
.clientThe cloned api_client instance with modified base_req
new()
Create a new API resource instance
api_resource$new(client, endpoint)
clientAn api_client object that provides the base HTTP client
functionality. This will be cloned to avoid modifying the original.
endpointA character string specifying the API endpoint or path
segment to append (e.g., "v1.0", "beta").
A new api_resource object
clone()
The objects of this class are cloneable with this method.
api_resource$clone(deep = FALSE)
deepWhether to make a deep clone.
## Not run: # Create a client client <- api_client$new( host_url = "https://graph.microsoft.com" ) # Create a resource with v1.0 API endpoint resource_v1 <- api_resource$new( client = client, endpoint = "v1.0" ) # Create a resource with beta API endpoint resource_beta <- api_resource$new( client = client, endpoint = "beta" ) # Make requests - the endpoint is automatically prepended response <- resource_v1$.fetch( path = "/me", method = "get" ) ## End(Not run)## Not run: # Create a client client <- api_client$new( host_url = "https://graph.microsoft.com" ) # Create a resource with v1.0 API endpoint resource_v1 <- api_resource$new( client = client, endpoint = "v1.0" ) # Create a resource with beta API endpoint resource_beta <- api_resource$new( client = client, endpoint = "beta" ) # Make requests - the endpoint is automatically prepended response <- resource_v1$.fetch( path = "/me", method = "get" ) ## End(Not run)
Base R6 class for creating API service wrappers. This class provides a foundation for building service-specific API clients with authentication, endpoint management, and configuration.
.clientAn api_client instance for making API requests
new()
Create a new API service instance
api_service$new( client = NULL, chain = NULL, endpoints = list(), config = list() )
clientAn api_client instance. If NULL, a new client will be created.
chainA credential_chain instance for authentication. Optional.
endpointsA named list where names are endpoint paths (e.g., "v1.0", "beta")
and values are R6 class objects (not instances) to use for creating resources.
Defaults to an empty list. If the value is NULL, api_resource will be used.
configA list of configuration options. Defaults to an empty list.
A new api_service object
An R6 class that extends api_client to provide specialized methods for Azure Data Lake Storage Gen2 (ADLS Gen2) REST API operations.
The base URL is constructed as:
https://{storageaccount}.{endpoint_suffix}
azr::api_client -> api_storage_client
.filesystemThe filesystem (container) name
new()
Create a new Azure Storage API client instance
api_storage_client$new(
storageaccount,
filesystem,
scope = default_azure_scope("azure_storage"),
endpoint_suffix = default_storage_endpoint(),
provider = NULL,
chain = NULL,
tenant_id = NULL,
...
)storageaccountA character string specifying the Azure Storage account name.
filesystemA character string specifying the filesystem (container) name.
scopeA character string specifying the OAuth2 scope. Defaults to
default_azure_scope("azure_storage").
endpoint_suffixA character string specifying the Azure
Storage DFS endpoint suffix. Defaults to
default_storage_endpoint().
providerAn optional credential provider object that inherits from
Credential or DefaultCredential. If provided, chain is ignored.
chainA credential_chain instance for authentication. If NULL, a default credential chain will be created using DefaultCredential.
tenant_idA character string specifying the Azure tenant ID. Passed to
DefaultCredential when chain is NULL.
...Additional arguments passed to the parent api_client constructor.
A new api_storage_client object
download_file()
Download a file from the filesystem
api_storage_client$download_file(path, dest = NULL)
pathA character string specifying the file path within the filesystem.
destA character string specifying the local destination path.
Defaults to a temporary file via tempfile().
The local path the file was written to (invisibly).
get_access_control()
Get the access control list (ACL) for a file or directory
api_storage_client$get_access_control(dataset, upn = FALSE)
datasetA character string specifying the file or directory path within the filesystem.
upnA logical value. If TRUE, user principal names (UPN) are
returned in the x-ms-owner, x-ms-group, and x-ms-acl response
headers instead of object IDs. Defaults to FALSE.
A data.frame with columns group_id and permission, one row per
named group entry in the x-ms-acl response header.
list_files()
List files and directories in a path
api_storage_client$list_files(path = "", recursive = FALSE, ...)
pathA character string specifying the directory path to list.
Use empty string or NULL for the root directory. Defaults to "".
recursiveA logical value indicating whether to list files recursively.
Defaults to FALSE.
...Additional query parameters to pass to the API.
A data.frame (or data.table if available) containing file and directory information with columns such as name, contentLength, lastModified, etc.
clone()
The objects of this class are cloneable with this method.
api_storage_client$clone(deep = FALSE)
deepWhether to make a deep clone.
## Not run: # Create a storage client storage <- api_storage_client$new( storageaccount = "mystorageaccount", filesystem = "mycontainer" ) # List files in the root directory files <- storage$list_files() # List files in a specific path files <- storage$list_files(path = "data/folder1") # List files recursively files <- storage$list_files(path = "data", recursive = TRUE) ## End(Not run)## Not run: # Create a storage client storage <- api_storage_client$new( storageaccount = "mystorageaccount", filesystem = "mycontainer" ) # List files in the root directory files <- storage$list_files() # List files in a specific path files <- storage$list_files(path = "data/folder1") # List files recursively files <- storage$list_files(path = "data", recursive = TRUE) ## End(Not run)
Authenticates a user through the OAuth 2.0 authorization code flow. This flow opens a web browser for the user to sign in.
The authorization code flow is the standard OAuth 2.0 flow for interactive authentication. It requires a web browser and is suitable for applications where the user can interact with a browser window.
The credential supports token caching to avoid repeated authentication. Tokens can be cached to disk or in memory. A redirect URI is required for the OAuth flow to complete.
azr::Credential -> azr::InteractiveCredential -> AuthCodeCredential
new()
Create a new authorization code credential
AuthCodeCredential$new( scope = NULL, tenant_id = NULL, client_id = default_azure_cli_client_id(), use_cache = "disk", offline = TRUE, redirect_uri = default_redirect_uri(), interactive = TRUE, use_refresh_token = TRUE )
scopeA character string specifying the OAuth2 scope. Defaults to NULL.
tenant_idA character string specifying the Azure Active Directory
tenant ID. Defaults to NULL.
client_idA character string specifying the application (client) ID. Defaults to the Azure CLI public client ID.
use_cacheA character string specifying the cache type. Use "disk"
for disk-based caching or "memory" for in-memory caching. Defaults to "disk".
offlineA logical value indicating whether to request offline access
(refresh tokens). Defaults to TRUE.
redirect_uriA character string specifying the redirect URI registered
with the application. Defaults to default_redirect_uri().
interactiveA logical value indicating whether this credential
requires user interaction. Defaults to TRUE.
use_refresh_tokenA logical value indicating whether to use the login flow
(acquire tokens via refresh token exchange). Defaults to TRUE.
A new AuthCodeCredential object
clone()
The objects of this class are cloneable with this method.
AuthCodeCredential$clone(deep = FALSE)
deepWhether to make a deep clone.
# AuthCodeCredential requires an interactive session ## Not run: # Create credential with default settings cred <- AuthCodeCredential$new( tenant_id = "your-tenant-id", client_id = "your-client-id", scope = "https://management.azure.com/.default" ) # Get an access token (will open browser for authentication) token <- cred$get_token() # Force reauthentication token <- cred$get_token(reauth = TRUE) # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") req <- cred$req_auth(req) ## End(Not run)# AuthCodeCredential requires an interactive session ## Not run: # Create credential with default settings cred <- AuthCodeCredential$new( tenant_id = "your-tenant-id", client_id = "your-client-id", scope = "https://management.azure.com/.default" ) # Get an access token (will open browser for authentication) token <- cred$get_token() # Force reauthentication token <- cred$get_token(reauth = TRUE) # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") req <- cred$req_auth(req) ## End(Not run)
Retrieves information about the currently active Azure CLI account and
subscription. This function runs az account show and parses the JSON
output into an R list.
az_cli_account_show(timeout = 10L)az_cli_account_show(timeout = 10L)
timeout |
An integer specifying the timeout in seconds for the Azure
CLI command. Defaults to |
The function returns details about the current Azure subscription including:
Subscription ID and name
Tenant ID
Account state (e.g., "Enabled")
User information
Cloud environment details
A list containing the account information from Azure CLI
Reads the MSAL token cache file (msal_token_cache.json) from the Azure
configuration directory and returns a matching access token as an
httr2::oauth_token() object.
az_cli_get_cached_token( scope = NULL, tenant_id = NULL, client_id = NULL, config_dir = default_azure_config_dir() )az_cli_get_cached_token( scope = NULL, tenant_id = NULL, client_id = NULL, config_dir = default_azure_config_dir() )
scope |
A character string specifying the OAuth2 scope to filter tokens.
If |
tenant_id |
A character string specifying the tenant ID to filter tokens.
If |
client_id |
A character string specifying the client ID to filter tokens.
If |
config_dir |
A character string specifying the Azure configuration
directory. Defaults to |
The MSAL token cache is a JSON file maintained by the Azure CLI that stores access tokens and refresh tokens. This function reads cached access tokens directly from the file without invoking the Azure CLI, which can be useful in environments where the CLI is slow or unavailable but tokens have been previously cached.
When multiple tokens are found, the function selects the token that expires
latest. If scope is provided, only tokens matching that scope/resource are
returned.
An httr2::oauth_token() object containing:
access_token: The OAuth2 access token string
token_type: The type of token (typically "Bearer")
.expires_at: POSIXct timestamp when the token expires
Retrieves an access token from Azure CLI using the az account get-access-token
command. This is a lower-level function that directly interacts with the Azure
CLI to obtain OAuth2 tokens.
az_cli_get_token(scope, tenant_id = NULL, timeout = 10L)az_cli_get_token(scope, tenant_id = NULL, timeout = 10L)
scope |
A character string specifying the OAuth2 scope for which to
request the access token (e.g., |
tenant_id |
A character string specifying the Azure Active Directory
tenant ID. If |
timeout |
A numeric value specifying the timeout in seconds for the
Azure CLI process. Defaults to |
This function executes the Azure CLI command and parses the JSON response to create an httr2 OAuth token object. The token includes the access token, token type, and expiration time.
An httr2::oauth_token() object containing:
access_token: The OAuth2 access token string
token_type: The type of token (typically "Bearer")
.expires_at: POSIXct timestamp when the token expires
Checks whether the user is currently logged in to Azure CLI by attempting to retrieve account information.
az_cli_is_login(timeout = 10L)az_cli_is_login(timeout = 10L)
timeout |
A numeric value specifying the timeout in seconds for the
Azure CLI command. Defaults to |
A logical value: TRUE if the user is logged in, FALSE otherwise
Performs an interactive Azure CLI login using device code flow. Automatically captures the device code, copies it to the clipboard, and opens the browser for authentication.
az_cli_login(tenant_id = NULL, use_bridge = FALSE, verbose = FALSE)az_cli_login(tenant_id = NULL, use_bridge = FALSE, verbose = FALSE)
tenant_id |
A character string specifying the Azure Active Directory
tenant ID to authenticate against. If |
use_bridge |
A logical value indicating whether to use the device code
bridge webpage. If |
verbose |
A logical value indicating whether to print detailed process
output to the console, including error messages from the Azure CLI process.
If |
This function runs az login --use-device-code, monitors the output
to extract the device code, copies it to the clipboard, and opens
the authentication URL in the default browser.
Invisibly returns the exit status (0 for success, non-zero for failure)
Logs out from Azure CLI by removing all stored credentials and account
information. This function runs az logout.
az_cli_logout()az_cli_logout()
After logging out, you will need to run az_cli_login() again to
authenticate and use Azure CLI credentials.
Invisibly returns NULL
Creates a configured client for the Microsoft Graph API with authentication and versioned endpoints (v1.0 and beta). This function returns an api_service object that provides access to Microsoft Graph resources through versioned endpoints.
azr_graph_client(scopes = ".default", ..., chain = NULL)azr_graph_client(scopes = ".default", ..., chain = NULL)
scopes |
A character string specifying the OAuth2 scope suffix to be appended
to the Graph API URL. Defaults to |
... |
Additional arguments passed to the api_client constructor. |
chain |
A credential_chain instance for authentication. If NULL, a default credential chain will be created using DefaultCredential. |
The function creates a Microsoft Graph service using these components:
api_client: A general-purpose API client configured with the Graph API
host URL (https://graph.microsoft.com) and authentication provider.
api_graph_resource: A specialized resource class that extends api_resource with Microsoft Graph-specific methods. Currently implements:
me(select = NULL): Fetch the current user's profile. The select parameter
accepts a character vector of properties to return (e.g., c("displayName", "mail")).
api_service: A service container that combines the client and resources
with versioned endpoints (v1.0 and beta). The service is locked using
lockEnvironment() to prevent modification after creation.
An api_service object configured for Microsoft Graph API with
v1.0 and beta endpoints. The object is locked using lockEnvironment() to
prevent modification after creation. Access endpoints via $v1.0 or $beta.
## Not run: # Create a Graph API client with default credentials graph <- azr_graph_client() # Fetch current user profile from v1.0 endpoint me <- graph$v1.0$me() # Fetch specific properties using OData $select me <- graph$v1.0$me(select = c("displayName", "mail", "userPrincipalName")) # Use beta endpoint for preview features me_beta <- graph$beta$me(select = c("displayName", "mail")) # Create with a custom credential chain custom_chain <- credential_chain( AzureCLICredential$new(scope = "https://graph.microsoft.com/.default") ) graph <- azr_graph_client(chain = custom_chain) # Use specific scopes instead of .default graph <- azr_graph_client(scopes = "User.Read Mail.Read") ## End(Not run)## Not run: # Create a Graph API client with default credentials graph <- azr_graph_client() # Fetch current user profile from v1.0 endpoint me <- graph$v1.0$me() # Fetch specific properties using OData $select me <- graph$v1.0$me(select = c("displayName", "mail", "userPrincipalName")) # Use beta endpoint for preview features me_beta <- graph$beta$me(select = c("displayName", "mail")) # Create with a custom credential chain custom_chain <- credential_chain( AzureCLICredential$new(scope = "https://graph.microsoft.com/.default") ) graph <- azr_graph_client(chain = custom_chain) # Use specific scopes instead of .default graph <- azr_graph_client(scopes = "User.Read Mail.Read") ## End(Not run)
A convenience wrapper around api_storage_client that creates a configured client for Azure Data Lake Storage Gen2 (ADLS Gen2) REST API operations.
azr_storage_client( storageaccount, filesystem, endpoint_suffix = default_storage_endpoint(), scope = default_azure_scope("azure_storage"), provider = NULL, chain = default_credential_chain(), tenant_id = default_azure_tenant_id(), ... )azr_storage_client( storageaccount, filesystem, endpoint_suffix = default_storage_endpoint(), scope = default_azure_scope("azure_storage"), provider = NULL, chain = default_credential_chain(), tenant_id = default_azure_tenant_id(), ... )
storageaccount |
A character string specifying the Azure Storage account name. |
filesystem |
A character string specifying the filesystem (container) name. |
endpoint_suffix |
A character string specifying the Azure
Storage DFS endpoint suffix. Defaults to
|
scope |
A character string specifying the OAuth2 scope. Defaults to
|
provider |
An optional credential provider object that inherits from
|
chain |
A credential_chain instance for authentication. Defaults to
|
tenant_id |
A character string specifying the Azure tenant ID. Defaults to
|
... |
Additional arguments passed to the api_storage_client constructor. |
An api_storage_client object.
## Not run: # Create a storage client with default credentials storage <- azr_storage_client( storageaccount = "mystorageaccount", filesystem = "mycontainer" ) # Create a storage client with a specific tenant storage <- azr_storage_client( storageaccount = "mystorageaccount", filesystem = "mycontainer", tenant_id = "00000000-0000-0000-0000-000000000000" ) ## End(Not run)## Not run: # Create a storage client with default credentials storage <- azr_storage_client( storageaccount = "mystorageaccount", filesystem = "mycontainer" ) # Create a storage client with a specific tenant storage <- azr_storage_client( storageaccount = "mystorageaccount", filesystem = "mycontainer", tenant_id = "00000000-0000-0000-0000-000000000000" ) ## End(Not run)
Authenticates using the Azure CLI (az) command-line tool. This credential
requires the Azure CLI to be installed and the user to be logged in via
az login.
The credential uses the az account get-access-token command to retrieve
access tokens. It will use the currently active Azure CLI account and
subscription unless a specific tenant is specified.
azr::Credential -> AzureCLICredential
interactiveLogical indicating whether to check login status and perform login if needed
.process_timeoutTimeout in seconds for Azure CLI command execution
new()
Create a new Azure CLI credential
AzureCLICredential$new( scope = NULL, tenant_id = NULL, process_timeout = NULL, interactive = FALSE, use_bridge = FALSE )
scopeA character string specifying the OAuth2 scope. Defaults to
NULL, which uses the scope set during initialization.
tenant_idA character string specifying the Azure Active Directory
tenant ID. Defaults to NULL, which uses the default tenant from Azure CLI.
process_timeoutA numeric value specifying the timeout in seconds
for the Azure CLI process. Defaults to 10.
interactiveA logical value indicating whether to check if the user is
logged in and perform login if needed. Defaults to FALSE.
use_bridgeA logical value indicating whether to use the device code
bridge webpage during login. If TRUE, launches an intermediate local webpage
that displays the device code and facilitates copy-pasting before redirecting
to the Microsoft device login page. Only used when interactive = TRUE. Defaults to FALSE.
A new AzureCLICredential object
get_token()
Get an access token from Azure CLI
AzureCLICredential$get_token(scope = NULL)
scopeA character string specifying the OAuth2 scope. If NULL,
uses the scope specified during initialization.
An httr2::oauth_token() object containing the access token
req_auth()
Add authentication to an httr2 request
AzureCLICredential$req_auth(req, scope = NULL)
reqAn httr2::request() object
scopeA character string specifying the OAuth2 scope. If NULL,
uses the scope specified during initialization.
The request object with authentication header added
account_show()
Show the currently active Azure CLI account information
AzureCLICredential$account_show(timeout = NULL)
timeoutA numeric value specifying the timeout in seconds for the
Azure CLI command. If NULL, uses the process timeout specified during
initialization.
A list containing the account information from Azure CLI
login()
Perform Azure CLI login using device code flow
AzureCLICredential$login()
Invisibly returns the exit status (0 for success, non-zero for failure)
is_interactive()
Check if the credential requires user interaction
AzureCLICredential$is_interactive()
Logical indicating whether this credential is interactive
logout()
Log out from Azure CLI
AzureCLICredential$logout()
Invisibly returns NULL
clone()
The objects of this class are cloneable with this method.
AzureCLICredential$clone(deep = FALSE)
deepWhether to make a deep clone.
# Create credential with default settings cred <- AzureCLICredential$new() # Create credential with specific scope and tenant cred <- AzureCLICredential$new( scope = "https://management.azure.com/.default", tenant_id = "your-tenant-id" ) # To get a token or authenticate a request it is required that # 'az login' is successfully executed, otherwise it will return an error. ## Not run: # Get an access token token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) ## End(Not run)# Create credential with default settings cred <- AzureCLICredential$new() # Create credential with specific scope and tenant cred <- AzureCLICredential$new( scope = "https://management.azure.com/.default", tenant_id = "your-tenant-id" ) # To get a token or authenticate a request it is required that # 'az login' is successfully executed, otherwise it will return an error. ## Not run: # Get an access token token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) ## End(Not run)
Creates the default chain of credentials to attempt for cached token retrieval. The credentials are tried in order until one returns a valid cached token. The default chain includes:
Authorization Code Credential - Cached tokens from browser-based authentication
Device Code Credential - Cached tokens from device code flow
Azure CLI Credential - Cached tokens from Azure CLI authentication
cached_token_credential_chain()cached_token_credential_chain()
A credential_chain object containing the sequence of
credential providers to check for cached tokens.
CachedTokenCredential, credential_chain()
A credential class that retrieves tokens from the cache only, without triggering interactive authentication flows. This is useful for non-interactive sessions where you want to use previously cached tokens from DeviceCode or AuthCode credentials.
This credential attempts to retrieve cached tokens from a chain of interactive credentials (AuthCode and DeviceCode by default). It will not prompt for new authentication - it only returns tokens that are already cached.
This is particularly useful for:
Non-interactive R sessions (e.g., scheduled scripts, CI/CD)
Scenarios where you've previously authenticated interactively and want to reuse those cached tokens
.scopeCharacter string specifying the authentication scope.
.tenant_idCharacter string specifying the tenant ID.
.client_idCharacter string specifying the client ID.
.chainList of credential classes to attempt for cached tokens.
providerLazily initialized credential provider
new()
Create a new CachedTokenCredential object
CachedTokenCredential$new( scope = NULL, tenant_id = NULL, client_id = NULL, chain = cached_token_credential_chain() )
scopeOptional character string specifying the authentication scope.
tenant_idOptional character string specifying the tenant ID for authentication.
client_idOptional character string specifying the client ID for authentication.
chainA list of credential classes to attempt for cached tokens. Defaults to AuthCodeCredential and DeviceCodeCredential.
A new CachedTokenCredential object
get_token()
Get an access token from the cache
CachedTokenCredential$get_token()
An httr2::oauth_token() object containing the access token
req_auth()
Add authentication to an httr2 request
CachedTokenCredential$req_auth(req)
reqAn httr2::request() object
The request object with authentication configured
clone()
The objects of this class are cloneable with this method.
CachedTokenCredential$clone(deep = FALSE)
deepWhether to make a deep clone.
## Not run: # Create credential with default settings cred <- CachedTokenCredential$new( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id" ) # Get a cached token (will fail if no cached token exists) token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://graph.microsoft.com/v1.0/me") req <- cred$req_auth(req) ## End(Not run)## Not run: # Create credential with default settings cred <- CachedTokenCredential$new( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id" ) # Get a cached token (will fail if no cached token exists) token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://graph.microsoft.com/v1.0/me") req <- cred$req_auth(req) ## End(Not run)
Authenticates a service principal using a client ID and client secret. This credential is commonly used for application authentication in Azure.
The credential uses the OAuth 2.0 client credentials flow to obtain access tokens. It requires a registered Azure AD application with a client secret. The client secret should be stored securely and not hard-coded in scripts.
azr::Credential -> ClientSecretCredential
validate()
Validate the credential configuration
ClientSecretCredential$validate()
Checks that the client secret is provided and not NA or NULL. Calls the parent class validation method.
get_token()
Get an access token using client credentials flow
ClientSecretCredential$get_token()
An httr2::oauth_token() object containing the access token
req_auth()
Add OAuth client credentials authentication to an httr2 request
ClientSecretCredential$req_auth(req)
reqAn httr2::request() object
The request object with OAuth client credentials authentication configured
clone()
The objects of this class are cloneable with this method.
ClientSecretCredential$clone(deep = FALSE)
deepWhether to make a deep clone.
# Create credential with client secret cred <- ClientSecretCredential$new( tenant_id = "your-tenant-id", client_id = "your-client-id", client_secret = "your-client-secret", scope = "https://management.azure.com/.default" ) # To get a token or authenticate a request it requires # valid 'client_id' and 'client_secret' credentials, # otherwise it will return an error. ## Not run: # Get an access token token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) ## End(Not run)# Create credential with client secret cred <- ClientSecretCredential$new( tenant_id = "your-tenant-id", client_id = "your-client-id", client_secret = "your-client-secret", scope = "https://management.azure.com/.default" ) # To get a token or authenticate a request it requires # valid 'client_id' and 'client_secret' credentials, # otherwise it will return an error. ## Not run: # Get an access token token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) ## End(Not run)
Creates a custom chain of credential providers to attempt during authentication. Credentials are tried in the order they are provided until one successfully authenticates. This allows you to customize the authentication flow beyond the default credential chain.
credential_chain(...)credential_chain(...)
... |
Named credential objects or credential classes. Each element
should be a credential class (e.g., |
A credential_chain object containing the specified sequence
of credential providers.
default_credential_chain(), get_token_provider()
# Create a custom chain with only non-interactive credentials custom_chain <- credential_chain( client_secret = ClientSecretCredential, azure_cli = AzureCLICredential ) # Use the custom chain to get a token ## Not run: token <- get_token( scope = "https://graph.microsoft.com/.default", chain = custom_chain ) ## End(Not run)# Create a custom chain with only non-interactive credentials custom_chain <- credential_chain( client_secret = ClientSecretCredential, azure_cli = AzureCLICredential ) # Use the custom chain to get a token ## Not run: token <- get_token( scope = "https://graph.microsoft.com/.default", chain = custom_chain ) ## End(Not run)
Retrieves the Azure client ID in priority order:
AZURE_CLIENT_ID environment variable
Built-in fallback (Microsoft's public Azure CLI client ID)
default_azure_client_id()default_azure_client_id()
A character string with the client ID
default_azure_client_id()default_azure_client_id()
Retrieves the Azure client secret from the AZURE_CLIENT_SECRET environment
variable, or returns NA_character_ if not set.
default_azure_client_secret()default_azure_client_secret()
A character string with the client secret, or NA_character_ if not set
default_azure_client_secret()default_azure_client_secret()
Retrieves the Azure configuration directory from the AZURE_CONFIG_DIR
environment variable, or falls back to the platform-specific default.
default_azure_config_dir()default_azure_config_dir()
A character string with the Azure configuration directory path
default_azure_config_dir()default_azure_config_dir()
Retrieves the Azure authority host in priority order:
AZURE_AUTHORITY_HOST environment variable
Built-in fallback (login.microsoftonline.com)
default_azure_host()default_azure_host()
A character string with the authority host URL
default_azure_host()default_azure_host()
Creates an httr2::oauth_client() configured for Azure authentication.
default_azure_oauth_client( client_id = default_azure_client_id(), client_secret = NULL, name = NULL )default_azure_oauth_client( client_id = default_azure_client_id(), client_secret = NULL, name = NULL )
client_id |
A character string specifying the client ID. Defaults to
|
client_secret |
A character string specifying the client secret. Defaults
to |
name |
A character string specifying the client name. Defaults to |
An httr2::oauth_client() object
client <- default_azure_oauth_client() client <- default_azure_oauth_client( client_id = "my-client-id", client_secret = "my-secret" )client <- default_azure_oauth_client() client <- default_azure_oauth_client( client_id = "my-client-id", client_secret = "my-secret" )
Returns the default OAuth scope for a specified Azure resource.
default_azure_scope(resource = "azure_arm")default_azure_scope(resource = "azure_arm")
resource |
A character string specifying the Azure resource. Must be one of:
|
A character string with the OAuth scope URL
default_azure_scope() default_azure_scope("azure_graph")default_azure_scope() default_azure_scope("azure_graph")
Retrieves the Azure tenant ID in priority order:
AZURE_TENANT_ID environment variable
Built-in fallback ("common")
default_azure_tenant_id()default_azure_tenant_id()
A character string with the tenant ID
default_azure_tenant_id()default_azure_tenant_id()
Constructs Azure OAuth 2.0 endpoint URLs for a given tenant and authority host.
default_azure_url( endpoint = NULL, oauth_host = default_azure_host(), tenant_id = default_azure_tenant_id() )default_azure_url( endpoint = NULL, oauth_host = default_azure_host(), tenant_id = default_azure_tenant_id() )
endpoint |
A character string specifying which endpoint URL to return.
Must be one of: |
oauth_host |
A character string specifying the Azure authority host.
Defaults to |
tenant_id |
A character string specifying the tenant ID. Defaults to
|
If endpoint is specified, returns a character string with the URL.
If endpoint is NULL, returns a named list of all endpoint URLs.
# Get all URLs default_azure_url() # Get specific endpoint default_azure_url("token") # Custom tenant default_azure_url("authorize", tenant_id = "my-tenant-id")# Get all URLs default_azure_url() # Get specific endpoint default_azure_url("token") # Custom tenant default_azure_url("authorize", tenant_id = "my-tenant-id")
Creates the default chain of credentials to attempt during authentication. The credentials are tried in order until one successfully authenticates. The default chain includes:
Client Secret Credential - Uses client ID and secret
Authorization Code Credential - Interactive browser-based authentication
Device Code Credential - Interactive device code flow
Azure CLI Credential - Uses credentials from Azure CLI
default_credential_chain()default_credential_chain()
A credential_chain object containing the default sequence of
credential providers.
credential_chain(), get_token_provider()
Retrieves the path to the federated identity token file from the
AZURE_FEDERATED_TOKEN_FILE environment variable, or returns NULL if
not set. Used by WorkloadIdentityCredential.
default_federated_token_file()default_federated_token_file()
A character string with the file path, or NULL if not set
default_federated_token_file()default_federated_token_file()
Returns the path to the MSAL token cache file shared by the Azure CLI and
Azure SDKs. Defaults to msal_token_cache.json inside the Azure config
directory (see default_azure_config_dir()).
default_msal_token_cache()default_msal_token_cache()
A character string with the path to the MSAL token cache file.
default_azure_config_dir(), write_msal_token()
A pass-through credential function that performs no authentication. This function returns the request object unchanged, allowing API calls to be made without adding any authentication headers or tokens.
default_non_auth(req)default_non_auth(req)
req |
An |
The same httr2::request() object, unmodified
Constructs a redirect URI for OAuth flows. If the provided URI doesn't have
a port, assigns a random port using httpuv::randomPort().
default_redirect_uri(redirect_uri = httr2::oauth_redirect_uri())default_redirect_uri(redirect_uri = httr2::oauth_redirect_uri())
redirect_uri |
A character string specifying the redirect URI. Defaults
to |
A character string with the redirect URI
default_redirect_uri()default_redirect_uri()
Retrieves the Azure refresh token from the AZURE_REFRESH_TOKEN environment
variable, or returns NULL if not set.
default_refresh_token()default_refresh_token()
A character string with the refresh token, or NULL if not set
default_refresh_token()default_refresh_token()
Converts data.frame results in the parsed response to data.table objects
when the data.table package is available. Applied automatically by
api_client unless overridden via the response_handler argument.
default_response_handler(content)default_response_handler(content)
content |
Parsed response content from an API call. |
The processed content, with any data.frame objects converted to
data.table if the data.table package is installed.
Returns the default endpoint suffix used to construct Azure Data Lake Storage Gen2 DFS URLs.
default_storage_endpoint()default_storage_endpoint()
A character string with the DFS endpoint suffix.
default_storage_endpoint()default_storage_endpoint()
An R6 class that provides lazy initialization of credential providers. The credential provider is created on first access using the default credential chain.
This class wraps the credential discovery process in an R6 object with
a lazily evaluated provider field. The provider is only created when
first accessed, using the same logic as get_token_provider().
.scopeCharacter string specifying the authentication scope.
.tenant_idCharacter string specifying the tenant ID.
.client_idCharacter string specifying the client ID.
.client_secretCharacter string specifying the client secret.
.use_cacheCharacter string indicating the caching strategy.
.offlineLogical indicating whether to request offline access.
.chainA credential chain object for authentication.
providerLazily initialized credential provider
new()
Create a new DefaultCredential object
DefaultCredential$new( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, chain = default_credential_chain() )
scopeOptional character string specifying the authentication scope.
tenant_idOptional character string specifying the tenant ID for authentication.
client_idOptional character string specifying the client ID for authentication.
client_secretOptional character string specifying the client secret for authentication.
use_cacheCharacter string indicating the caching strategy. Defaults
to "disk". Options include "disk" for disk-based caching or "memory"
for in-memory caching.
offlineLogical. If TRUE, adds 'offline_access' to the scope to request a 'refresh_token'.
Defaults to TRUE.
chainA list of credential objects, where each element must inherit
from the Credential base class. Credentials are attempted in the order
provided until get_token succeeds.
A new DefaultCredential object
get_token()
Get an access token using the credential chain
DefaultCredential$get_token()
An httr2::oauth_token() object containing the access token
req_auth()
Add authentication to an httr2 request
DefaultCredential$req_auth(req)
reqAn httr2::request() object
The request object with authentication configured
clone()
The objects of this class are cloneable with this method.
DefaultCredential$clone(deep = FALSE)
deepWhether to make a deep clone.
# Create a DefaultCredential object cred <- DefaultCredential$new( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id" ) ## Not run: # Get a token (triggers lazy initialization) token <- cred$get_token() # Authenticate a request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) # Or access the provider directly provider <- cred$provider ## End(Not run)# Create a DefaultCredential object cred <- DefaultCredential$new( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id" ) ## Not run: # Get a token (triggers lazy initialization) token <- cred$get_token() # Authenticate a request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) # Or access the provider directly provider <- cred$provider ## End(Not run)
Authenticates a user through the device code flow. This flow is designed for devices that don't have a web browser or have input constraints.
The device code flow displays a code that the user must enter on another device with a web browser to complete authentication. This is ideal for CLI applications, headless servers, or devices without a browser.
The credential supports token caching to avoid repeated authentication. Tokens can be cached to disk or in memory.
azr::Credential -> azr::InteractiveCredential -> DeviceCodeCredential
new()
Create a new device code credential
DeviceCodeCredential$new( scope = NULL, tenant_id = NULL, client_id = default_azure_cli_client_id(), use_cache = "disk", offline = TRUE, interactive = TRUE, use_refresh_token = TRUE )
scopeA character string specifying the OAuth2 scope. Defaults to NULL.
tenant_idA character string specifying the Azure Active Directory
tenant ID. Defaults to NULL.
client_idA character string specifying the application (client) ID. Defaults to the Azure CLI public client ID.
use_cacheA character string specifying the cache type. Use "disk"
for disk-based caching or "memory" for in-memory caching. Defaults to "disk".
offlineA logical value indicating whether to request offline access
(refresh tokens). Defaults to TRUE.
interactiveA logical value indicating whether this credential
requires user interaction. Defaults to TRUE.
use_refresh_tokenA logical value indicating whether to use the login flow
(acquire tokens via refresh token exchange). Defaults to TRUE.
A new DeviceCodeCredential object
clone()
The objects of this class are cloneable with this method.
DeviceCodeCredential$clone(deep = FALSE)
deepWhether to make a deep clone.
# DeviceCodeCredential requires an interactive session ## Not run: # Create credential with default settings cred <- DeviceCodeCredential$new() # Get an access token (will prompt for 'device code' flow) token <- cred$get_token() # Force re-authentication token <- cred$get_token(reauth = TRUE) # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") req <- cred$req_auth(req) ## End(Not run)# DeviceCodeCredential requires an interactive session ## Not run: # Create credential with default settings cred <- DeviceCodeCredential$new() # Get an access token (will prompt for 'device code' flow) token <- cred$get_token() # Force re-authentication token <- cred$get_token(reauth = TRUE) # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") req <- cred$req_auth(req) ## End(Not run)
Creates a function that retrieves authentication tokens and formats them as HTTP Authorization headers. This function handles credential discovery and returns a callable method that generates Bearer token headers when invoked.
get_credential_auth( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, chain = default_credential_chain() )get_credential_auth( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, chain = default_credential_chain() )
scope |
Optional character string specifying the authentication scope. |
tenant_id |
Optional character string specifying the tenant ID for authentication. |
client_id |
Optional character string specifying the client ID for authentication. |
client_secret |
Optional character string specifying the client secret for authentication. |
use_cache |
Character string indicating the caching strategy. Defaults
to |
offline |
Logical. If |
chain |
A list of credential objects, where each element must inherit
from the |
A function that, when called, returns a named list with an
Authorization element containing the Bearer token, suitable for use
with httr2::req_headers().
get_token(), get_request_authorizer(), get_token_provider()
## Not run: # Create an authentication function auth_fn <- get_credential_auth( scope = "https://graph.microsoft.com/.default" ) # Call it to get headers auth_headers <- auth_fn() # Use with httr2 req <- httr2::request("https://graph.microsoft.com/v1.0/me") |> httr2::req_headers(!!!auth_headers) ## End(Not run)## Not run: # Create an authentication function auth_fn <- get_credential_auth( scope = "https://graph.microsoft.com/.default" ) # Call it to get headers auth_headers <- auth_fn() # Use with httr2 req <- httr2::request("https://graph.microsoft.com/v1.0/me") |> httr2::req_headers(!!!auth_headers) ## End(Not run)
Discovers and returns an authenticated credential object from a chain of credential providers. This function attempts each credential in the chain until one successfully authenticates, returning the first successful credential object.
get_credential_provider( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, oauth_host = NULL, oauth_endpoint = NULL, chain = NULL, interactive = TRUE, verbose = getOption("azr.verbose", FALSE) )get_credential_provider( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, oauth_host = NULL, oauth_endpoint = NULL, chain = NULL, interactive = TRUE, verbose = getOption("azr.verbose", FALSE) )
scope |
Optional character string specifying the authentication scope. |
tenant_id |
Optional character string specifying the tenant ID for authentication. |
client_id |
Optional character string specifying the client ID for authentication. |
client_secret |
Optional character string specifying the client secret for authentication. |
use_cache |
Character string indicating the caching strategy. Defaults
to |
offline |
Logical. If |
oauth_host |
Optional character string specifying the OAuth host URL. |
oauth_endpoint |
Optional character string specifying the OAuth endpoint. |
chain |
A list of credential objects, where each element must inherit
from the |
interactive |
A logical value indicating whether interactive credentials
are allowed. Defaults to |
verbose |
A logical value indicating whether to print verbose messages
during credential discovery. Defaults to |
A credential object that inherits from the Credential class and
has successfully authenticated.
get_token_provider(), get_request_authorizer(),
default_credential_chain()
## Not run: # Get a credential provider with default settings cred <- get_credential_provider( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id" ) # Use the credential to get a token token <- cred$get_token() ## End(Not run)## Not run: # Get a credential provider with default settings cred <- get_credential_provider( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id" ) # Use the credential to get a token token <- cred$get_token() ## End(Not run)
Creates a request authorizer function that retrieves authentication credentials and returns a callable request authorization method. This function handles the credential discovery process and returns the request authentication method from the discovered credential object.
get_request_authorizer( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, chain = default_credential_chain() )get_request_authorizer( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, chain = default_credential_chain() )
scope |
Optional character string specifying the authentication scope. |
tenant_id |
Optional character string specifying the tenant ID for authentication. |
client_id |
Optional character string specifying the client ID for authentication. |
client_secret |
Optional character string specifying the client secret for authentication. |
use_cache |
Character string indicating the caching strategy. Defaults
to |
offline |
Logical. If |
chain |
A list of credential objects, where each element must inherit
from the |
A function that authorizes HTTP requests with appropriate credentials when called.
get_token_provider(), get_token()
# In non-interactive sessions, this function will return an error if the # environment is not setup with valid credentials. And in an interactive session # the user will be prompted to attempt one of the interactive authentication flows. ## Not run: req_auth <- get_request_authorizer( scope = "https://graph.microsoft.com/.default" ) req <- req_auth(httr2::request("https://graph.microsoft.com/v1.0/me")) ## End(Not run)# In non-interactive sessions, this function will return an error if the # environment is not setup with valid credentials. And in an interactive session # the user will be prompted to attempt one of the interactive authentication flows. ## Not run: req_auth <- get_request_authorizer( scope = "https://graph.microsoft.com/.default" ) req <- req_auth(httr2::request("https://graph.microsoft.com/v1.0/me")) ## End(Not run)
Retrieves an authentication token using the default token provider. This is a convenience function that combines credential discovery and token acquisition in a single step.
get_token( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, chain = default_credential_chain() )get_token( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, chain = default_credential_chain() )
scope |
Optional character string specifying the authentication scope. |
tenant_id |
Optional character string specifying the tenant ID for authentication. |
client_id |
Optional character string specifying the client ID for authentication. |
client_secret |
Optional character string specifying the client secret for authentication. |
use_cache |
Character string indicating the caching strategy. Defaults
to |
offline |
Logical. If |
chain |
A list of credential objects, where each element must inherit
from the |
An httr2::oauth_token() object.
get_token_provider(), get_request_authorizer()
# In non-interactive sessions, this function will return an error if the # environment is not setup with valid credentials. And in an interactive session # the user will be prompted to attempt one of the interactive authentication flows. ## Not run: token <- get_token( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id", client_id = "my-client-id", client_secret = "my-secret" ) ## End(Not run)# In non-interactive sessions, this function will return an error if the # environment is not setup with valid credentials. And in an interactive session # the user will be prompted to attempt one of the interactive authentication flows. ## Not run: token <- get_token( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id", client_id = "my-client-id", client_secret = "my-secret" ) ## End(Not run)
Creates a token provider function that retrieves authentication credentials and returns a callable token getter. This function handles the credential discovery process and returns the token acquisition method from the discovered credential object.
get_token_provider( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, chain = default_credential_chain() )get_token_provider( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, chain = default_credential_chain() )
scope |
Optional character string specifying the authentication scope. |
tenant_id |
Optional character string specifying the tenant ID for authentication. |
client_id |
Optional character string specifying the client ID for authentication. |
client_secret |
Optional character string specifying the client secret for authentication. |
use_cache |
Character string indicating the caching strategy. Defaults
to |
offline |
Logical. If |
chain |
A list of credential objects, where each element must inherit
from the |
A function that retrieves and returns an authentication token when called.
get_request_authorizer(), get_token()
# In non-interactive sessions, this function will return an error if the # environment is not set up with valid credentials. In an interactive session # the user will be prompted to attempt one of the interactive authentication flows. ## Not run: token_provider <- get_token_provider( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id", client_id = "my-client-id", client_secret = "my-secret" ) token <- token_provider() ## End(Not run)# In non-interactive sessions, this function will return an error if the # environment is not set up with valid credentials. In an interactive session # the user will be prompted to attempt one of the interactive authentication flows. ## Not run: token_provider <- get_token_provider( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id", client_id = "my-client-id", client_secret = "my-secret" ) token <- token_provider() ## End(Not run)
Determines whether the current R session is running in a hosted environment such as Google Colab, VS Code, Kubernetes, or RStudio Server (non-localhost).
is_hosted_session()is_hosted_session()
This function checks for (in order):
Option override: if azr.hosted option is set, returns isTRUE() of its value
Google Colab: presence of the COLAB_RELEASE_TAG environment variable
VS Code: presence of the VSCODE_INJECTION or VSCODE_PROXY_URI environment variable
Kubernetes: presence of the KUBERNETES_SERVICE_HOST environment variable
RStudio Server: RSTUDIO_PROGRAM_MODE is "server" and
RSTUDIO_HTTP_REFERER does not contain "localhost"
A logical value: TRUE if running in a hosted session (Google Colab,
VS Code, Kubernetes, or remote RStudio Server), FALSE otherwise.
if (is_hosted_session()) { message("Running in a hosted environment") }if (is_hosted_session()) { message("Running in a hosted environment") }
Authenticates using an existing refresh token. This credential is useful when you have obtained a refresh token through another authentication flow and want to use it to get new access tokens without interactive authentication.
The refresh token credential uses the OAuth 2.0 refresh token flow to obtain new access tokens. It requires a valid refresh token that was previously obtained through an interactive flow (e.g., authorization code or device code).
This is particularly useful for:
Non-interactive sessions where you have a pre-obtained refresh token
Long-running applications that need to refresh tokens automatically
Scenarios where you want to avoid repeated interactive authentication
azr::Credential -> RefreshTokenCredential
.refresh_tokenCharacter string containing the refresh token.
new()
Create a new refresh token credential
RefreshTokenCredential$new( refresh_token = default_refresh_token(), scope = NULL, tenant_id = NULL, client_id = NULL )
refresh_tokenA character string containing the refresh token.
Defaults to default_refresh_token() which reads from the
AZURE_REFRESH_TOKEN environment variable.
scopeA character string specifying the OAuth2 scope. Defaults to NULL.
tenant_idA character string specifying the Azure Active Directory
tenant ID. Defaults to NULL.
client_idA character string specifying the application (client) ID.
Defaults to NULL.
A new RefreshTokenCredential object
validate()
Validate the credential configuration
RefreshTokenCredential$validate()
Checks that the refresh token is provided and not NA or NULL. Calls the parent class validation method.
get_token()
Get an access token using the refresh token flow
RefreshTokenCredential$get_token()
An httr2::oauth_token() object containing the access token
req_auth()
Add OAuth refresh token authentication to an httr2 request
RefreshTokenCredential$req_auth(req)
reqAn httr2::request() object
The request object with OAuth refresh token authentication configured
clone()
The objects of this class are cloneable with this method.
RefreshTokenCredential$clone(deep = FALSE)
deepWhether to make a deep clone.
## Not run: # Create credential with a refresh token cred <- RefreshTokenCredential$new( refresh_token = "your-refresh-token", scope = "https://management.azure.com/.default", tenant_id = "your-tenant-id", client_id = "your-client-id" ) # Get an access token token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) ## End(Not run)## Not run: # Create credential with a refresh token cred <- RefreshTokenCredential$new( refresh_token = "your-refresh-token", scope = "https://management.azure.com/.default", tenant_id = "your-tenant-id", client_id = "your-client-id" ) # Get an access token token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) ## End(Not run)
Authenticates using Azure Workload Identity by reading a federated token from a file and exchanging it for an Azure AD access token. This is commonly used in Kubernetes environments (AKS) where a service account token is mounted into the pod.
The credential implements the OAuth 2.0 client credentials flow with a JWT
bearer assertion (client_assertion). It reads the federated identity token
from a file on each call to get_token() so that token rotation by the
runtime (e.g., Kubernetes) is automatically picked up.
The following environment variables are used when parameters are not provided:
AZURE_CLIENT_ID: Client (application) ID of the Azure AD application
AZURE_TENANT_ID: Azure AD tenant ID
AZURE_FEDERATED_TOKEN_FILE: Path to the file containing the federated token
azr::Credential -> WorkloadIdentityCredential
.token_file_pathPath to the file containing the federated identity token
new()
Create a new Workload Identity credential
WorkloadIdentityCredential$new( scope = NULL, tenant_id = Sys.getenv(environment_variables$azure_tenant_id, unset = NA_character_), client_id = Sys.getenv(environment_variables$azure_client_id, unset = NA_character_), token_file_path = default_federated_token_file() )
scopeA character string specifying the OAuth2 scope. Defaults to the Azure Resource Manager scope.
tenant_idA character string specifying the Azure AD tenant ID.
Defaults to the AZURE_TENANT_ID environment variable.
client_idA character string specifying the client (application) ID.
Defaults to the AZURE_CLIENT_ID environment variable.
token_file_pathA character string specifying the path to the file
containing the federated identity token. Defaults to the
AZURE_FEDERATED_TOKEN_FILE environment variable.
A new WorkloadIdentityCredential object
validate()
Validate the credential configuration
WorkloadIdentityCredential$validate()
Checks that token_file_path is provided and not NA. Calls the parent
class validation method.
get_token()
Get an access token by exchanging the federated token
WorkloadIdentityCredential$get_token()
Returns a valid in-object cached token immediately if one exists. Otherwise reads the federated token from the file and exchanges it for a new access token so that token rotation performed by the runtime is automatically reflected.
An httr2::oauth_token() object containing the access token
req_auth()
Add authentication to an httr2 request
WorkloadIdentityCredential$req_auth(req)
reqAn httr2::request() object
The request object with a Bearer token authorization header
clone()
The objects of this class are cloneable with this method.
WorkloadIdentityCredential$clone(deep = FALSE)
deepWhether to make a deep clone.
## Not run: # Create credential using environment variables # (requires AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_FEDERATED_TOKEN_FILE) cred <- WorkloadIdentityCredential$new( scope = "https://management.azure.com/.default" ) # Or supply parameters directly cred <- WorkloadIdentityCredential$new( tenant_id = "your-tenant-id", client_id = "your-client-id", token_file_path = "/var/run/secrets/azure/tokens/azure-identity-token", scope = "https://management.azure.com/.default" ) # Get an access token token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) ## End(Not run)## Not run: # Create credential using environment variables # (requires AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_FEDERATED_TOKEN_FILE) cred <- WorkloadIdentityCredential$new( scope = "https://management.azure.com/.default" ) # Or supply parameters directly cred <- WorkloadIdentityCredential$new( tenant_id = "your-tenant-id", client_id = "your-client-id", token_file_path = "/var/run/secrets/azure/tokens/azure-identity-token", scope = "https://management.azure.com/.default" ) # Get an access token token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) ## End(Not run)
Writes an httr2::oauth_token() object into the MSAL token cache JSON file
(msal_token_cache.json) shared by the Azure SDK and Azure CLI. The
resulting entry is readable by other Azure tools (Python SDK, Azure CLI,
and the rest of this package via az_cli_get_cached_token()).
write_msal_token(token, cache_file = default_msal_token_cache())write_msal_token(token, cache_file = default_msal_token_cache())
token |
An |
cache_file |
Path to the MSAL token cache JSON file. Defaults to
|
The function adds or overwrites AccessToken, RefreshToken (when the
token carries a refresh token), Account, and AppMetadata sections.
Existing entries for other accounts or clients are preserved.
The home_account_id follows the MSAL convention
"<object_id>.<tenant_id>" where object_id is the Azure AD OID of the
authenticated principal. Cache entry keys are built in the same format used
by the Azure CLI and MSAL Python:
AccessToken: <home_account_id>-<environment>-accesstoken-<client_id>-<realm>-<target>
RefreshToken: <home_account_id>-<environment>-refreshtoken-<client_id>--
Account: <home_account_id>-<environment>-<realm>
AppMetadata: appmetadata-<environment>-<client_id>
Invisibly returns the path to the cache file.
az_cli_get_cached_token(), httr2::oauth_token()