# hvSSKrSSKrSSKrSSKrSSKrSSKrSSKJr SSKJ r SSK J r J r SSK Jr SSKJr SSKJrJr SS KJr \R."\5r"S S \5r"S S \ 5r"SS\5r"SS\5r"SS\5r"SS\ 5r!Sr"Sr#\ "5r$\ "5r%\ "5r&\ "5r'\ "5r(\ "5r)Sr*Sr+S%Sjr,Sr-Sr.Sr/Sr0S\RbReS 5S!.r3"S"S#\5r4S$r5g)&N)urlparse)UserDict)OptionalUnion) TokenCache)_IndividualCache)ThrottledHttpClientBaseRetryAfterParser)_is_running_in_cloud_shellc\rSrSrSrg)ManagedIdentityErrorN__name__ __module__ __qualname____firstlineno____static_attributes__rG/var/www/html/env/lib/python3.13/site-packages/msal/managed_identity.pyrrrrc^\rSrSrSrSrSrSrSrSr Sr \S \S \ S 0r \ S 5r \ S 5r\ S5rSU4SjjrSrU=r$)ManagedIdentityz{Feed an instance of this class to :class:`msal.ManagedIdentityClient` to acquire token for the specified managed identity. ManagedIdentityIdTypeIdClientId ResourceIdObjectIdSystemAssigned client_id msi_res_id object_idc[U[5=(d) URU5=(d URU5$N) isinstanceris_system_assignedis_user_assignedclsunknowns ris_managed_identity#ManagedIdentity.is_managed_identity/s77O4-%%g.-##G, .rc[U[5=(d? [U[5=(a( URUR5UR :H$r')r(SystemAssignedManagedIdentitydictgetID_TYPESYSTEM_ASSIGNEDr+s rr)"ManagedIdentity.is_system_assigned5sD'#@AA w % @ CKK(C,?,?? Arc[U[5=(da [U[5=(aJ URUR5UR ;=(a URUR 5$r')r(UserAssignedManagedIdentityr2r3r4_types_mappingIDr+s rr* ManagedIdentity.is_user_assigned;sV'#>?% w % $ CKK(C,>,>> $ CFF# %rc\>[[U] URUURU05 gr')superr__init__r4r:)self identifierid_type __class__s rr>ManagedIdentity.__init__Bs) ot- LL' GGZ/  rr)NN)rrrr__doc__r4r: CLIENT_ID RESOURCE_ID OBJECT_IDr5r9 classmethodr.r)r*r>r __classcell__rBs@rrrs&G BIKI&O ;\;N .. AA %%   rrc,^\rSrSrSrU4SjrSrU=r$)r1JzRepresent a system-assigned managed identity. It is equivalent to a Python dict of:: {"ManagedIdentityIdType": "SystemAssigned", "Id": None} or a JSON blob of:: {"ManagedIdentityIdType": "SystemAssigned", "Id": null} c<>[[U] URS9 g)N)rA)r=r1r>r5)r?rBs rr>&SystemAssignedManagedIdentity.__init__Us +T;DDXDX;YrrrrrrrDr>rrIrJs@rr1r1Js ZZrr1c8^\rSrSrSrSSSS.U4SjjrSrU=r$)r8Ya%Represent a user-assigned managed identity. Depends on the id you provided, the outcome is equivalent to one of the below:: {"ManagedIdentityIdType": "ClientId", "Id": "foo"} {"ManagedIdentityIdType": "ResourceId", "Id": "foo"} {"ManagedIdentityIdType": "ObjectId", "Id": "foo"} N)r# resource_idr%cF>U(a+U(d$U(d[[U] URUS9 gU(d+U(a$U(d[[U] URUS9 gU(d+U(d$U(a[[U] UR US9 g[ S5e)N)rAr@zPYou shall specify one of the three parameters: client_id, resource_id, object_id)r=r8r>rErFrGr)r?r#rRr%rBs rr>$UserAssignedManagedIdentity.__init__bs [ -t =9 > >{9 -t =(([ > B;9 -t =9 > >'45 5rrrOrJs@rr8r8Ys%)dd 5 5rr8c(^\rSrSrU4SjrSrU=r$)_ThrottledHttpClientrc >^[[T] "U40UD6 [TRU4Sj[ S5R S9"UR5Tlg)Nc >SRUSTR[URS55[URS55-55$)Nz"REQ {} hash={} 429/5xx/Retry-Afterrparamsdata)format_hashstrr3)funcargskwargsr?s r/_ThrottledHttpClient.__init__..wsK1U1\1\Q  8,-FJJv4F0GGI2r)mapping key_maker expires_in)r=rVr>IndividualCache_expiring_mappingr parser3)r? http_clientrarBs` rr>_ThrottledHttpClient.__init__ssP "D2;I&I"**(*00 oo r)r3)rrrrr>rrIrJs@rrVrVrs   rrVcz\rSrSrSrSurrSrSrSr SSS.S \ \ \ \ \44S jjrS rSS .S \S\\4SjjrSrg)ManagedIdentityClientaThis API encapsulates multiple managed identity back-ends: VM, App Service, Azure Automation (Runbooks), Azure Function, Service Fabric, and Azure Arc. It also provides token cache support. .. note:: Cloud Shell support is NOT implemented in this class. Since MSAL Python 1.18 in May 2022, it has been implemented in :func:`PublicClientApplication.acquire_token_interactive` via calling pattern ``PublicClientApplication(...).acquire_token_interactive(scopes=[...], prompt="none")``. That is appropriate, because Cloud Shell yields a token with delegated permissions for the end user who has signed in to the Azure Portal (like what a ``PublicClientApplication`` does), not a token with application permissions for an app. )Nmanaged_identity token_sourceidentity_providercacheN) token_cache http_cacherpc[RU5(d[SU35eXl[ [ U[ 5(a UROUUS9UlU=(d [5Ul g)amCreate a managed identity client. :param managed_identity: It accepts an instance of :class:`SystemAssignedManagedIdentity` or :class:`UserAssignedManagedIdentity`. They are equivalent to a dict with a certain shape, which may be loaded from a JSON configuration file or an env var. :param http_client: An http client object. For example, you can use ``requests.Session()``, optionally with exponential backoff behavior demonstrated in this recipe:: import msal, requests from requests.adapters import HTTPAdapter, Retry s = requests.Session() retries = Retry(total=3, backoff_factor=0.1, status_forcelist=[ 429, 500, 501, 502, 503, 504]) s.mount('https://', HTTPAdapter(max_retries=retries)) managed_identity = ... client = msal.ManagedIdentityClient(managed_identity, http_client=s) :param token_cache: Optional. It accepts a :class:`msal.TokenCache` instance to store tokens. It will use an in-memory token cache by default. :param http_cache: Optional. It has the same characteristics as the :paramref:`msal.ClientApplication.http_cache`. Recipe 1: Hard code a managed identity for your app:: import msal, requests client = msal.ManagedIdentityClient( msal.UserAssignedManagedIdentity(client_id="foo"), http_client=requests.Session(), ) token = client.acquire_token_for_client("resource") Recipe 2: Write once, run everywhere. If you use different managed identity on different deployment, you may use an environment variable (such as MY_MANAGED_IDENTITY_CONFIG) to store a json blob like ``{"ManagedIdentityIdType": "ClientId", "Id": "foo"}`` or ``{"ManagedIdentityIdType": "SystemAssigned", "Id": null}``. The following app can load managed identity configuration dynamically:: import json, os, msal, requests config = os.getenv("MY_MANAGED_IDENTITY_CONFIG") assert config, "An ENV VAR with value should exist" client = msal.ManagedIdentityClient( json.loads(config), http_client=requests.Session(), ) token = client.acquire_token_for_client("resource") zIncorrect managed_identity: )ruN) rr.r_managed_identityrVr(r rk _http_clientr _token_cache)r?rprkrtrus rr>ManagedIdentityClient.__init__swH223CDD&./?.@AC C!10k+BCC  # #IT! (7:<rchURc[R"5UlUR$r') _ManagedIdentityClient__instancesocketgetfqdn)r?s r _get_instance#ManagedIdentityClient._get_instances$ ?? "$nn.DOr)claims_challengeresourcerc SnURR[RS5n[R"5nU(dUR R UR RRU/[UUR5URSS9S9nUHn[US5U- nUS:aM[RS5 SUS S URS S 5S [U5URUR 0nS U;a%[US 5US '[US 5U:a OUs $ [#UR$URU5n SU ;aU RS S5nSU ;aUS:a[US- 5U S'UR R'[UU/SR)UR5UR5U 00S95 SU ;a[XYS-5U S 'UR*XR'U (aSU ;dU(dU $U$! U(deU$=f)aAcquire token for the managed identity. The result will be automatically cached. Subsequent calls will automatically search from cache first. :param resource: The resource for which the token is acquired. :param claims_challenge: Optional. It is a string representation of a JSON object (which contains lists of claims being requested). The tenant admin may choose to revoke all Managed Identity tokens, and then a *claims challenge* will be returned by the target resource, as a `claims_challenge` directive in the `www-authenticate` header, even if the app developer did not opt in for the "CP1" client capability. Upon receiving a `claims_challenge`, MSAL will skip a token cache read, and will attempt to acquire a new token. .. note:: Known issue: When an Azure VM has only one user-assigned managed identity, and your app specifies to use system-assigned managed identity, Azure VM may still return a token for your user-assigned identity. This is a service-side behavior that cannot be changed by this library. `Azure VM docs `_ N SYSTEM_ASSIGNED_MANAGED_IDENTITY)r# environmentrealmhome_account_id)targetquery expires_oni,zCache hit an AT access_tokensecret token_typeBearerrg refresh_oni refresh_ini z https://{}/{})r#scopetoken_endpointresponserZr[error)rwr3rr:timeryfindCredentialType ACCESS_TOKENr2r_tenantintloggerdebug _TOKEN_SOURCE_TOKEN_SOURCE_CACHE _obtain_tokenrxaddr\_TOKEN_SOURCE_IDP) r?rraccess_token_from_cacheclient_id_in_cachenowmatchesentryrgresults racquire_token_for_client.ManagedIdentityClient.acquire_token_for_clientsRD#'!3377    BDiik'',,!!00== z0 $ 2 2 4,,$( - G! |!45; $ ./"E(O %))L("C #j/&&(@(@ +'  5(F<(!!%%d0#*#2#9#9**,dll$<#' 6)+.sL5I/I+JF<(-1-C-C))*7&0:Q ;R '&  *+&&s C,H44 I) __instancerxrwry)rrrrrDr|rrrrrr2rr1r8r>rr^rrrrrrrnrns"3J"M+!W8   ) ' )W8r+/ Y'Y'#3- Y'Y'rrnc[U5nUR(a&SRURUR5$U$)Nz{}://{})rschemer\netloc)rus r_scope_to_resourcerSs2Axx!((33 LrcS[R;a'S[R;a[RS$[RS:Xa$[RR S5(dU[RS:XaC[RR [RR S55(aggg)NIDENTITY_ENDPOINT IMDS_ENDPOINTlinuxz/opt/azcmagent/bin/himdswin32z4${ProgramFiles}\AzureConnectedMachineAgent\himds.exez5http://localhost:40342/metadata/identity/oauth2/token)osenvironsysplatformpathexists expandvarsrrr_get_arc_endpointrZsbjj(_ -Jzz-.. BGGNN3M$N$N <<7 "rww~~bgg6H6H C7 ( ( G ( "rcS[R;a.S[R;aS[R;a[$S[R;aS[R;a[$S[R;aS[R;a[$[ 5(a[ $[5(a[$[$)zDetect the current environment and return the likely identity source. When this function returns ``CLOUD_SHELL``, you should use :func:`msal.PublicClientApplication.acquire_token_interactive` with ``prompt="none"`` to obtain a token. rIDENTITY_HEADERIDENTITY_SERVER_THUMBPRINT MSI_ENDPOINT MSI_SECRET) rrSERVICE_FABRIC APP_SERVICEMACHINE_LEARNINGr AZURE_ARCr CLOUD_SHELL DEFAULT_TO_VMrrrget_managed_identity_sourcerns rzz).?2::.M, :bjj(->"**-L#  (B!## rc6S[R;aS[R;arS[R;a^U(a[RS5 [ U[RS[RS[RSU5$S[R;aES[R;a1[ U[RS[RSUU5$S[R;aES[R;a1[ U[RS[RSUU5$[5nU(a1[RU5(a [S5e[XU5$[XU5$)NrrrzIgnoring managed_identity parameter. Managed Identity in Service Fabric is configured in the cluster, not during runtime. See also https://learn.microsoft.com/en-us/azure/service-fabric/configure-existing-cluster-enable-managed-identity-token-servicerrzInvalid managed_identity parameter. Azure Arc supports only system-assigned managed identity, See also https://learn.microsoft.com/en-us/azure/service-fabric/configure-existing-cluster-enable-managed-identity-token-service) rrrr_obtain_token_on_service_fabric_obtain_token_on_app_service!_obtain_token_on_machine_learningrrr*r_obtain_token_on_arc_obtain_token_on_azure_vm)rkrpr arc_endpoints rrrsYrzz).?2::.M, :  LLJ K /  JJ* + JJ( ) JJ3 4    bjj(->"**-L+  JJ* + JJ( )     #  (B0  JJ~ & JJ| $     %&L  + +,< = =&JK K $KxHH $[H MMrcU=(d [RRUR[R55nU(aU[RX'ggr')rr9r3r4r:)rZrp types_mappingid_names r _adjust_paramrsK> > >CC_4457G*?+=+=>rcN[RS5 SUS.n[X15 UR[R "SS5R S5S-USS 0S 9n[R"UR5nURS 5(aKURS 5(a5US [US 5URS 5URSS5S.$U$![RRa" [RSUR5 ef=f)Nz0Obtaining token via managed identity on Azure VMz 2018-02-01 api-versionr!AZURE_POD_IDENTITY_AUTHORITY_HOSTzhttp://169.254.169.254/z/metadata/identity/oauth2/tokenMetadatatruerZheadersrrgrrrrrgrr!IMDS emits unexpected payload: %s) rrrr3rgetenvstripjsonloadstextrdecoderJSONDecodeError)rkrprrZresppayloads rrrs  LLCD# F&+ ?? /1I eCj< =V$  D **TYY' ;;~ & &7;;|+D+D ' 7!',"78#KK 3%kk,A    << ' ' 8$))D s!BC$"C$$AD$c [RS5 SUS.n[XS[RS[R S[R S0S9 URUUUSS .S 9n[R"UR5nURS 5(ajURS 5(aTUS [US 5[[R"55- URS 5URSS5S.$SSRURS5URS55S.$![RRa" [RSUR5 ef=f)zObtains token for `App Service `_, Azure Functions, and Azure Automation. z9Obtaining token via managed identity on Azure App Servicez 2019-08-01rr# mi_res_idr%)rr)zX-IDENTITY-HEADERrrrrrrrr invalid_scopez{}, {} statusCodemessagererror_descriptionr)rrrrrErFrGr3rrrrrr\rr)rkendpointidentity_headerrprrZrrs rrrsW LLLM# F&!!;##[!!;; ??!0  D**TYY' ;;~ & &7;;|+D+D ' 7!',"783tyy{;KK#KK 3%kk,A  %!) L)7;;y+A"C  << ' ' 8$))D s*BD= 2D==AE=c[RS5 SUS.n[XS5 USS:XaSU;aURS5US'UR UUSU0S9n[ R "UR5nUR S 5(ajUR S 5(aTUS [US 5[[R"55- UR S 5UR S S 5S.$SSRU5S.$![ RRa" [RSUR5 ef=f)Nz>Obtaining token via managed identity on Azure Machine Learningz 2017-09-01rrr#clientidrrrrrrrrrz{}rr) rrrpopr3rrrrrr\rr)rkrrrprrZrrs rrrs4  LLQR)x @F&+ m ,1F#ZZ 4z ??6"  D **TYY' ;;~ & &7;;|+D+D ' 7!',"783tyy{;KK#KK 3%kk,A  %!%W!5  << ' ' 8$))D sBD=DAEc[RS5 URUSUS.SU0S9n[R"UR 5nURS5(a]URS5(aGUS[ US5[ [R"55- URS5US S .$URS 05nS S SS.nURUS SS5UR S.$![RRa" [RSUR 5 ef=f)z^Obtains token for `Service Fabric `_ zr"s!   ! "#AL2   8 $ : , h, ^ ZO Z5/52 2  N'FN'b Gh H h 8 ,,N^?:/bD&T) WW   R S/+  #7 1 r