diff --git a/NEWS.md b/NEWS.md index b091da4..6545519 100644 --- a/NEWS.md +++ b/NEWS.md @@ -3,7 +3,11 @@ ## Significant interface changes * New `create_azure_login`, `get_azure_login` and `delete_azure_login` functions to handle ARM authentication. These will persist the login object across sessions, removing the need to re-authenticate each time. While directly calling `az_rm$new()` will still work, it's recommended to use `create_azure_login` and `get_azure_login` going forward. -* `get_azure_token` revamped, now supports the resource owner authentication method for obtaining an AAD token with a username and password. +* `get_azure_token` revamped, now supports four authentication methods for obtaining AAD tokens: + - Client credentials (what you would use with a "web app" registered service principal) + - Authorization code (for a "native" service principal) + - Device code + - With a username and password (resource owner grant) ## Other changes diff --git a/R/AzureToken.R b/R/AzureToken.R index bf917ae..75e8bb3 100644 --- a/R/AzureToken.R +++ b/R/AzureToken.R @@ -149,16 +149,20 @@ private=list( #' @param aad_host URL for your AAD host. For the public Azure cloud, this is `https://login.microsoftonline.com/`. #' #' @details -#' This function does much the same thing as [httr::oauth2.0_token()], but with support for device authentication and with unnecessary options removed. Device authentication removes the need to save a password on your machine. Instead, the server provides you with a code, along with a URL. You then visit the URL in your browser and enter the code, which completes the authentication process. +#' This function does much the same thing as [httr::oauth2.0_token()], but customised for Azure. #' -#' The OAuth authentication type can be one of 4 possible values: "authorization_code", "device_code", "client_credentials" or "resource_owner". If this is not specified, the value is chosen based on the presence or absence of the `password` and `username` arguments: +#' The OAuth authentication type can be one of four possible values: "authorization_code", "client_credentials", "device_code", or "resource_owner". The first two are provided by the [httr::Token2.0] token class, while the last two are provided by the AzureToken class which extends httr::Token2.0. #' -#' - Password and username present: "resource_owner" +#' If the authentication method is not specified, the value is chosen based on the presence or absence of the `password` and `username` arguments: +#' +#' - Password and username present: "resource_owner". In this #' - Password and username absent: "authorization_code" if the httpuv package is installed, "device_code" otherwise #' - Password present, username absent: "client_credentials" #' - Password absent, username present: error #' #' The httpuv package must be installed to use the "authorization_code" method, as this requires a web server to listen on the (local) redirect URI. See [httr::oauth2.0_token] for more information; note that Azure does not support the `use_oob` feature of the httr OAuth 2.0 token class. +#' +#' Similarly, since the "authorization_code" method requires you to browse to a URL, your machine should have an Internet browser installed that can be run from inside R. In particular, if you are using a Linux [Data Science Virtual Machine](https://azure.microsoft.com/en-us/services/virtual-machines/data-science-virtual-machines/) in Azure, you may run into difficulties; use one of the other methods instead. #' #' @seealso #' [AzureToken], [httr::oauth2.0_token], [httr::Token], diff --git a/R/az_auth.R b/R/az_auth.R index 9886cfb..76d381a 100644 --- a/R/az_auth.R +++ b/R/az_auth.R @@ -18,7 +18,7 @@ #' - `app`: The client/app ID to use to authenticate with Azure Active Directory. #' - `password`: if `auth_type == "client_credentials"`, the app secret; if `auth_type == "resource_owner"`, your account password. #' - `username`: if `auth_type == "resource_owner"`, your username. -#' - `auth_type`: The OAuth authentication method to use, one of "client_credentials", "authorization_code", "device_code" or "resource_owner". See [get_azure_token] for how the default method is chosen. +#' - `auth_type`: The OAuth authentication method to use, one of "client_credentials", "authorization_code", "device_code" or "resource_owner". See [get_azure_token] for how the default method is chosen, along with some caveats. #' - `host`: your ARM host. Defaults to `https://management.azure.com/`. Change this if you are using a government or private cloud. #' - `aad_host`: Azure Active Directory host for authentication. Defaults to `https://login.microsoftonline.com/`. Change this if you are using a government or private cloud. #' - `config_file`: Optionally, a JSON file containing any of the arguments listed above. Arguments supplied in this file take priority over those supplied on the command line. You can also use the output from the Azure CLI `az ad sp create-for-rbac` command. diff --git a/man/az_rm.Rd b/man/az_rm.Rd index 26cabf1..fb8f8a6 100644 --- a/man/az_rm.Rd +++ b/man/az_rm.Rd @@ -30,7 +30,7 @@ To authenticate with the \code{az_rm} class directly, provide the following argu \item \code{app}: The client/app ID to use to authenticate with Azure Active Directory. \item \code{password}: if \code{auth_type == "client_credentials"}, the app secret; if \code{auth_type == "resource_owner"}, your account password. \item \code{username}: if \code{auth_type == "resource_owner"}, your username. -\item \code{auth_type}: The OAuth authentication method to use, one of "client_credentials", "authorization_code", "device_code" or "resource_owner". See \link{get_azure_token} for how the default method is chosen. +\item \code{auth_type}: The OAuth authentication method to use, one of "client_credentials", "authorization_code", "device_code" or "resource_owner". See \link{get_azure_token} for how the default method is chosen, along with some caveats. \item \code{host}: your ARM host. Defaults to \code{https://management.azure.com/}. Change this if you are using a government or private cloud. \item \code{aad_host}: Azure Active Directory host for authentication. Defaults to \code{https://login.microsoftonline.com/}. Change this if you are using a government or private cloud. \item \code{config_file}: Optionally, a JSON file containing any of the arguments listed above. Arguments supplied in this file take priority over those supplied on the command line. You can also use the output from the Azure CLI \code{az ad sp create-for-rbac} command. diff --git a/man/get_azure_token.Rd b/man/get_azure_token.Rd index 0a7cbe5..349cace 100644 --- a/man/get_azure_token.Rd +++ b/man/get_azure_token.Rd @@ -27,17 +27,21 @@ get_azure_token(resource_host, tenant, app, password = NULL, This extends the OAuth functionality in httr to allow for device code authentication. } \details{ -This function does much the same thing as \code{\link[httr:oauth2.0_token]{httr::oauth2.0_token()}}, but with support for device authentication and with unnecessary options removed. Device authentication removes the need to save a password on your machine. Instead, the server provides you with a code, along with a URL. You then visit the URL in your browser and enter the code, which completes the authentication process. +This function does much the same thing as \code{\link[httr:oauth2.0_token]{httr::oauth2.0_token()}}, but customised for Azure. -The OAuth authentication type can be one of 4 possible values: "authorization_code", "device_code", "client_credentials" or "resource_owner". If this is not specified, the value is chosen based on the presence or absence of the \code{password} and \code{username} arguments: +The OAuth authentication type can be one of four possible values: "authorization_code", "client_credentials", "device_code", or "resource_owner". The first two are provided by the \link[httr:Token2.0]{httr::Token2.0} token class, while the last two are provided by the AzureToken class which extends httr::Token2.0. + +If the authentication method is not specified, the value is chosen based on the presence or absence of the \code{password} and \code{username} arguments: \itemize{ -\item Password and username present: "resource_owner" +\item Password and username present: "resource_owner". In this \item Password and username absent: "authorization_code" if the httpuv package is installed, "device_code" otherwise \item Password present, username absent: "client_credentials" \item Password absent, username present: error } The httpuv package must be installed to use the "authorization_code" method, as this requires a web server to listen on the (local) redirect URI. See \link[httr:oauth2.0_token]{httr::oauth2.0_token} for more information; note that Azure does not support the \code{use_oob} feature of the httr OAuth 2.0 token class. + +Similarly, since the "authorization_code" method requires you to browse to a URL, your machine should have an Internet browser installed that can be run from inside R. In particular, if you are using a Linux \href{https://azure.microsoft.com/en-us/services/virtual-machines/data-science-virtual-machines/}{Data Science Virtual Machine} in Azure, you may run into difficulties; use one of the other methods instead. } \examples{ \dontrun{