Credential Providers

class cognite.client.credentials.Token(token: str | Callable[[], str])

Token credential provider

Parameters

token (str | Callable[[], str]) – A token or a token factory.

Examples

>>> from cognite.client.credentials import Token
>>> token_provider = Token("my secret token")
>>> token_factory_provider = Token(lambda: "my secret token")

Note

If you pass in a callable, we will expect that you supplied a function that may do a token refresh under the hood, so it will be called while holding a thread lock (threading.Lock()).

class cognite.client.credentials.OAuthClientCredentials(token_url: str, client_id: str, client_secret: str, scopes: list[str], token_expiry_leeway_seconds: int = 30, **token_custom_args: Any)

OAuth credential provider for the “Client Credentials” flow.

Parameters

• token_url (str) – OAuth token url

• client_id (str) – Your application’s client id.

• client_secret (str) – Your application’s client secret

• scopes (list[str]) – A list of scopes.

• token_expiry_leeway_seconds (int) – The token is refreshed at the earliest when this number of seconds is left before expiry. Default: 30 sec

• **token_custom_args (Any) – Optional additional arguments to pass as query parameters to the token fetch request.

Examples

>>> from cognite.client.credentials import OAuthClientCredentials
>>> import os
>>> oauth_provider = OAuthClientCredentials(
...     token_url="https://login.microsoftonline.com/xyz/oauth2/v2.0/token",
...     client_id="abcd",
...     client_secret=os.environ["OAUTH_CLIENT_SECRET"],
...     scopes=["https://greenfield.cognitedata.com/.default"],
...     # Any additional IDP-specific token args. e.g.
...     audience="some-audience"
... )

classmethod default_for_azure_ad(tenant_id: str, client_id: str, client_secret: str, cdf_cluster: str, token_expiry_leeway_seconds: int = 30, **token_custom_args: Any) → OAuthClientCredentials

Create an OAuthClientCredentials instance for Azure with default token URL and scopes.

The default configuration creates the URLs based on the tenant id and cluster/oauth2/v2.0/token:

• Token URL: “https://login.microsoftonline.com/{tenant_id}”

• Scopes: [f”https://{cdf_cluster}.cognitedata.com/.default”]

Parameters

• tenant_id (str) – The Azure tenant id

• client_id (str) – Your application’s client id.

• client_secret (str) – Your application’s client secret.

• cdf_cluster (str) – The CDF cluster where the CDF project is located.

• token_expiry_leeway_seconds (int) – The token is refreshed at the earliest when this number of seconds is left before expiry. Default: 30 sec

• **token_custom_args (Any) – Optional additional arguments to pass as query parameters to the token fetch request.

Returns

An OAuthClientCredentials instance

Return type

OAuthClientCredentials

class cognite.client.credentials.OAuthInteractive(authority_url: str, client_id: str, scopes: list[str], redirect_port: int = 53000, token_cache_path: Path | None = None, token_expiry_leeway_seconds: int = 30)

OAuth credential provider for an interactive login flow.

Make sure you have http://localhost:port in Redirect URI in App Registration as type “Mobile and desktop applications”.

Parameters

• authority_url (str) – OAuth authority url

• client_id (str) – Your application’s client id.

• scopes (list[str]) – A list of scopes.

• redirect_port (int) – Redirect port defaults to 53000.

• token_cache_path (Path | None) – Location to store token cache, defaults to os temp directory/cognitetokencache.{client_id}.bin.

• token_expiry_leeway_seconds (int) – The token is refreshed at the earliest when this number of seconds is left before expiry. Default: 30 sec

Examples

>>> from cognite.client.credentials import OAuthInteractive
>>> oauth_provider = OAuthInteractive(
...     authority_url="https://login.microsoftonline.com/xyz",
...     client_id="abcd",
...     scopes=["https://greenfield.cognitedata.com/.default"],
... )

classmethod default_for_azure_ad(tenant_id: str, client_id: str, cdf_cluster: str, token_expiry_leeway_seconds: int = 30, **token_custom_args: Any) → OAuthInteractive

Create an OAuthClientCredentials instance for Azure with default token URL and scopes.

The default configuration creates the URLs based on the tenant id and cluster:

• Authority URL: “https://login.microsoftonline.com/{tenant_id}”

• Scopes: [f”https://{cdf_cluster}.cognitedata.com/.default”]

Parameters

• tenant_id (str) – The Azure tenant id

• client_id (str) – Your application’s client id.

• cdf_cluster (str) – The CDF cluster where the CDF project is located.

• token_expiry_leeway_seconds (int) – The token is refreshed at the earliest when this number of seconds is left before expiry. Default: 30 sec

• **token_custom_args (Any) – Optional additional arguments to pass as query parameters to the token fetch request.

Returns

An OAuthInteractive instance

Return type

OAuthInteractive

class cognite.client.credentials.OAuthDeviceCode(authority_url: str, client_id: str, scopes: list[str], token_cache_path: Path | None = None, token_expiry_leeway_seconds: int = 30)

OAuth credential provider for the device code login flow.

Parameters

• authority_url (str) – OAuth authority url

• client_id (str) – Your application’s client id.

• scopes (list[str]) – A list of scopes.

• token_cache_path (Path | None) – Location to store token cache, defaults to os temp directory/cognitetokencache.{client_id}.bin.

• token_expiry_leeway_seconds (int) – The token is refreshed at the earliest when this number of seconds is left before expiry. Default: 30 sec

Examples

>>> from cognite.client.credentials import OAuthDeviceCode
>>> oauth_provider = OAuthDeviceCode(
...     authority_url="https://login.microsoftonline.com/xyz",
...     client_id="abcd",
...     scopes=["https://greenfield.cognitedata.com/.default"],
... )

class cognite.client.credentials.OAuthClientCertificate(authority_url: str, client_id: str, cert_thumbprint: str, certificate: str, scopes: list[str], token_expiry_leeway_seconds: int = 30)

OAuth credential provider for authenticating with a client certificate.

Parameters

• authority_url (str) – OAuth authority url

• client_id (str) – Your application’s client id.

• cert_thumbprint (str) – Your certificate’s thumbprint. You get it when you upload your certificate to Azure AD.

• certificate (str) – Your private certificate, typically read from a .pem file

• scopes (list[str]) – A list of scopes.

• token_expiry_leeway_seconds (int) – The token is refreshed at the earliest when this number of seconds is left before expiry. Default: 30 sec

Examples

>>> from cognite.client.credentials import OAuthClientCertificate
>>> from pathlib import Path
>>> oauth_provider = OAuthClientCertificate(
...     authority_url="https://login.microsoftonline.com/xyz",
...     client_id="abcd",
...     cert_thumbprint="XYZ123",
...     certificate=Path("certificate.pem").read_text(),
...     scopes=["https://greenfield.cognitedata.com/.default"],
... )