Credentials Providers

API Client Providers

These credentials providers use Jamf Pro API clients for API authentication.

class ApiClientCredentialsProvider(client_id: str, client_secret: str)

A credentials provider that uses OAuth2 client credentials flow using an API client.

Parameters:

  • client_id (str) – The client ID.

  • client_secret (str) – The client secret.

Basic Auth Providers

These credentials providers use a username and password for API authentication.

class BasicAuthProvider(username: str, password: str)

A basic auth credentials provider that uses a username and password for obtaining access tokens.

Parameters:

  • username (str) – The Jamf Pro API username.

  • password (str) – The Jamf Pro API password.

class PromptForCredentials(username: str | None = None)

A basic auth credentials provider for command-line uses cases. The user will be prompted for their username (if not provided) and password.

Parameters:

username (Optional[str]) – The Jamf Pro API username.

class LoadFromKeychain(server: str, username: str)

A credentials provider for the macOS login keychain. The API password is stored in a keychain entry where the service_name is the server.

Important

This credentials provider requires the macOS extra dependency.

Parameters:

  • server (str) – The Jamf Pro server name.

  • username (str) – The Jamf Pro API username.

class LoadFromAwsSecretsManager(secret_id: str, version_id: str | None = None, version_stage: str | None = None)

A basic auth credentials provider for AWS Secrets Manager. Requires an IAM role with the secretsmanager:GetSecretValue permission. May also require kms:Decrypt if the secret is encrypted with a customer managed key.

The SecretString is expected to be JSON string in this format:

{
    "username": "oscar",
    "password": "*****"
}

Important

This credentials provider requires the aws extra dependency.

Parameters:

  • secret_id (str) – The ARN or name of the secret.

  • version_id (str) – The unique identifier of this version of the secret. If not provided the latest version of the secret will be returned.

  • version_stage (str) – The staging label of the version of the secret to retrieve.

Access Token

pydantic model AccessToken

Jamf Pro access token. Used by a CredentialsProvider object to manage an access token.

Parameters:

  • type (str) – The type name of the access token. This should only be user or oauth.

  • token (str) – The raw access token string.

  • expires (datetime) – The expiration time of the token represented as a datetime object.

  • scope (List[str]) – If the access token is an oauth type the scope claim will be passed as a list of string values.

property is_expired: bool

Has the current time passed the token’s expiration time? Will return False if the current time is within 5 seconds of the token’s expiration time.

property seconds_remaining: int

The number of seconds until the token expires.

Credentials Provider Base Class

class CredentialsProvider

The base credentials provider class all other providers should inherit from.

get_access_token(thread_lock: allocate_lock | None = None) AccessToken

Thread safe method for obtaining the current API access token.

Returns:

An AccessToken object.

Return type:

AccessToken

Parameters:

thread_lock (allocate_lock | None)

_request_access_token() AccessToken

This internal method requests a new Jamf Pro access token.

Custom credentials providers should override this method. Refer to the ApiClientProvider and BasicAuthProvider classes for example implementations.

This method must always return an AccessToken object.

Returns:

An AccessToken object.

Return type:

AccessToken

_keep_alive() AccessToken

Refresh an access token using the keep-alive endpoint.

As of Jamf Pro 10.49 this is only supported by user bearer tokens.

This method may be removed in a future update.

Returns:

An AccessToken object.

Return type:

AccessToken

_refresh_access_token() None

Requests and stores an API access token.

Refresh behavior is determined by the token’s type.

For user bearer tokens, if the cached token’s remaining time is greater than or equal to 60 seconds it will be returned. If the cached token’s remaining time is greater than 5 seconds but less than 60 seconds the token will be refreshed using the keep-alive API.

For OAuth tokens, if the cached token’s remaining tims is greater than or equal to 3 seconds it will be returned.

If the above conditions are not met a new token will be requested.

Return type:

None