Credentials Providers

The Jamf Pro SDK has two primary types of credential providers: API Client Credentials and User Credentials.

API Client Credentials Provider

Use Jamf Pro API clients for API authentication.

class ApiClientCredentialsProvider(client_id: str, client_secret: str)

A credentials provider that uses OAuth2 client credentials flow using an API client.

Parameters:

  • client_id (str) – The client ID.

  • client_secret (str) – The client secret.

User Credentials Provider

User credential providers use a username and password for API authentication.

class UserCredentialsProvider(username: str, password: str)

Credentials provider that uses a username and password for obtaining access tokens.

Parameters:

  • username (str) – The Jamf Pro API username.

  • password (str) – The Jamf Pro API password.

Utilities for Credential Providers

These functions return an instantiated credentials provider of the specified type.

Prompt for Credentials

prompt_for_credentials(provider_type: Type[UserCredentialsProvider]) UserCredentialsProvider
prompt_for_credentials(provider_type: Type[ApiClientCredentialsProvider]) ApiClientCredentialsProvider

Prompts the user for credentials based on the given provider type.

Supports both user credentials (username/password) and API client credentials (client_id/client_secret), prompting interactively as needed.

Parameters:

provider_type (Type[CredentialsProvider]) – The credentials provider class to instantiate.

Returns:

The CredentialsProvider object.

Return type:

CredentialsProvider

Load from AWS Secrets Manager

load_from_aws_secrets_manager(provider_type: Type[CredentialsProvider], secret_id: str, version_id: str | None = None, version_stage: str | None = None) CredentialsProvider

A basic auth credentials provider for AWS Secrets Manager. Requires an IAM role with the secretsmanager:GetSecretValue permission. May also require kms:Decrypt if the secret is encrypted with a customer managed key.

The SecretString is expected to be JSON string in this format:

// For UserCredentialsProvider:
{
    "username": "oscar",
    "password": "*****"
}

// For ApiClientCredentialsProvider:
{
    "client_id": "abc123",
    "client_secret": "xyz456"
}

Important

This credentials provider requires the aws extra dependency.

Parameters:

  • provider_type (Type[CredentialsProvider]) – The credentials provider class to instantiate using the loaded secret.

  • secret_id (str) – The ARN or name of the secret.

  • version_id (str) – The unique identifier of this version of the secret. If not provided the latest version of the secret will be returned.

  • version_stage (str) – The staging label of the version of the secret to retrieve.

Returns:

The CredentialsProvider object with necessary credentials.

Return type:

CredentialsProvider

Load from Keychain

load_from_keychain(provider_type: Type[UserCredentialsProvider], server: str, *, username: str, client_id: None = None) UserCredentialsProvider
load_from_keychain(provider_type: Type[ApiClientCredentialsProvider], server: str, *, client_id: str, username: None = None) ApiClientCredentialsProvider

Load credentials from the macOS login keychain and return an instance of the specified credentials provider.

Important

This credentials provider requires the macOS extra dependency.

The Jamf Pro API password or client credentials are stored in the keychain with the service_name set to the Jamf Pro server name.

Supports:

  • UserCredentialsProvider: Retrieves a password using the provided username.

  • ApiClientCredentialsProvider: Retrieves the API client secret using the provided client_id.

Parameters:

  • provider_type (Type[CredentialsProvider]) – The credentials provider class to instantiate

  • server (str) – The Jamf Pro server name.

  • client_id (Optional[str]) – The client ID used for ApiClientCredentialsProvider. Required if provider_type is that provider.

  • username (Optional[str]) – The username used for UserCredentialsProvider. Required if provider_type is that provider.

Returns:

An instantiated credentials provider using the keychain values.

Return type:

CredentialsProvider

Access Token

pydantic model AccessToken

Jamf Pro access token. Used by a CredentialsProvider object to manage an access token.

Parameters:

  • type (str) – The type name of the access token. This should only be user or oauth.

  • token (str) – The raw access token string.

  • expires (datetime) – The expiration time of the token represented as a datetime object.

  • scope (List[str]) – If the access token is an oauth type the scope claim will be passed as a list of string values.

property is_expired: bool

Has the current time passed the token’s expiration time? Will return False if the current time is within 5 seconds of the token’s expiration time.

property seconds_remaining: int

The number of seconds until the token expires.

Credentials Provider Base Class

class CredentialsProvider

The base credentials provider class all other providers should inherit from.

get_access_token(thread_lock: allocate_lock | None = None) AccessToken

Thread safe method for obtaining the current API access token.

Returns:

An AccessToken object.

Return type:

AccessToken

Parameters:

thread_lock (allocate_lock | None)

_request_access_token() AccessToken

This internal method requests a new Jamf Pro access token.

Custom credentials providers should override this method. Refer to the ApiClientProvider and UserCredentialsProvider classes for example implementations.

This method must always return an AccessToken object.

Returns:

An AccessToken object.

Return type:

AccessToken

_keep_alive() AccessToken

Refresh an access token using the keep-alive endpoint.

As of Jamf Pro 10.49 this is only supported by user bearer tokens.

This method may be removed in a future update.

Returns:

An AccessToken object.

Return type:

AccessToken

_refresh_access_token() None

Requests and stores an API access token.

Refresh behavior is determined by the token’s type.

For user bearer tokens, if the cached token’s remaining time is greater than or equal to 60 seconds it will be returned. If the cached token’s remaining time is greater than 5 seconds but less than 60 seconds the token will be refreshed using the keep-alive API.

For OAuth tokens, if the cached token’s remaining time is greater than or equal to 3 seconds it will be returned.

If the above conditions are not met a new token will be requested.

Return type:

None