Aller au contenu principal

Authenticate with Azure AD

You can authenticate the Python SDK with Azure AD by using a token retrieved when a user authenticates or with a static client secret for long-running jobs like extractors.

Prerequisites

If you don't know which values to use for these variables, contact your CDF administrator or Cognite Support.

Authenticate with user credentials

You can authenticate the Python SDK with Azure AD by using a token retrieved with user credentials.

Authenticate with interactive login and token refresh

Use this flow to authenticate with user credentials using the Microsoft Authentication Library (MSAL) and a token refresh.

You need to reuse the PublicClientApplication, and give a Callable to the CogniteClient to make the SDK ask for a new token on each request. The token is served from a memory cache but refreshed if needed (without requiring a user login or device code for the refresh).

NOTE

To use this flow with the code sample below, make sure the app is registered in Azure AD as the type Mobile and desktop applications with http://localhost:53000 as the Redirect URI.

Code sample: sample_interactive_login_token_refresh.py

Authenticate with user credentials and device code

If a browser is not available, for example, if you are logged into a terminal, use this flow to authenticate with user credentials and use a device code to refresh the token.

NOTE

To use this flow, you need to select Allow public client flows under Authentication when registering the app in Azure AD.

Code sample: sample_device_code_token_refresh.py

Authenticate with client secret

The SDK supports using client secrets directly by providing the client directly to the CogniteClient with the token_client_secret, token_client_id, token_url, and token_scopes. Use this flow for long-running jobs like extractors.

NOTE

Make sure that you have not set the COGNITE_API_KEY environment variable. It will override the token setup.

Code sample: sample_client_secret.py

Important

The token_url should follow the pattern https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token for Azure Active Directory, where $tenantId is the ID of the Azure AD tenant where the user is registered.