Credentials Providers¶
The Jamf Pro SDK has two primary types of credential providers: API Client Credentials and User Credentials.
API Client Credentials Provider¶
Use Jamf Pro API clients for API authentication.
- class ApiClientCredentialsProvider(client_id: str, client_secret: str)¶
A credentials provider that uses OAuth2 client credentials flow using an API client.
- Parameters:
client_id (str) – The client ID.
client_secret (str) – The client secret.
User Credentials Provider¶
User credential providers use a username and password for API authentication.
- class UserCredentialsProvider(username: str, password: str)¶
Credentials provider that uses a username and password for obtaining access tokens.
- Parameters:
username (str) – The Jamf Pro API username.
password (str) – The Jamf Pro API password.
Utilities for Credential Providers¶
These functions return an instantiated credentials provider of the specified type.
Prompt for Credentials¶
- prompt_for_credentials(provider_type: Type[UserCredentialsProvider]) UserCredentialsProvider ¶
- prompt_for_credentials(provider_type: Type[ApiClientCredentialsProvider]) ApiClientCredentialsProvider
Prompts the user for credentials based on the given provider type.
Supports both user credentials (username/password) and API client credentials (client_id/client_secret), prompting interactively as needed.
- Parameters:
provider_type (Type[CredentialsProvider]) – The credentials provider class to instantiate.
- Returns:
The
CredentialsProvider
object.- Return type:
Load from AWS Secrets Manager¶
- load_from_aws_secrets_manager(provider_type: Type[CredentialsProvider], secret_id: str, version_id: str | None = None, version_stage: str | None = None) CredentialsProvider ¶
A basic auth credentials provider for AWS Secrets Manager. Requires an IAM role with the
secretsmanager:GetSecretValue
permission. May also requirekms:Decrypt
if the secret is encrypted with a customer managed key.The
SecretString
is expected to be JSON string in this format:// For UserCredentialsProvider: { "username": "oscar", "password": "*****" } // For ApiClientCredentialsProvider: { "client_id": "abc123", "client_secret": "xyz456" }
Important
This credentials provider requires the
aws
extra dependency.- Parameters:
provider_type (Type[CredentialsProvider]) – The credentials provider class to instantiate using the loaded secret.
secret_id (str) – The ARN or name of the secret.
version_id (str) – The unique identifier of this version of the secret. If not provided the latest version of the secret will be returned.
version_stage (str) – The staging label of the version of the secret to retrieve.
- Returns:
The
CredentialsProvider
object with necessary credentials.- Return type:
Load from Keychain¶
- load_from_keychain(provider_type: Type[UserCredentialsProvider], server: str, *, username: str, client_id: None = None) UserCredentialsProvider ¶
- load_from_keychain(provider_type: Type[ApiClientCredentialsProvider], server: str, *, client_id: str, username: None = None) ApiClientCredentialsProvider
Load credentials from the macOS login keychain and return an instance of the specified credentials provider.
Important
This credentials provider requires the
macOS
extra dependency.The Jamf Pro API password or client credentials are stored in the keychain with the
service_name
set to the Jamf Pro server name.- Supports:
UserCredentialsProvider
: Retrieves a password using the providedusername
.ApiClientCredentialsProvider
: Retrieves the API client secret using the providedclient_id
.
- Parameters:
provider_type (Type[CredentialsProvider]) – The credentials provider class to instantiate
server (str) – The Jamf Pro server name.
client_id (Optional[str]) – The client ID used for
ApiClientCredentialsProvider
. Required ifprovider_type
is that provider.username (Optional[str]) – The username used for
UserCredentialsProvider
. Required ifprovider_type
is that provider.
- Returns:
An instantiated credentials provider using the keychain values.
- Return type:
Access Token¶
- pydantic model AccessToken¶
Jamf Pro access token. Used by a
CredentialsProvider
object to manage an access token.- Parameters:
type (str) – The type name of the access token. This should only be
user
oroauth
.token (str) – The raw access token string.
expires (datetime) – The expiration time of the token represented as a
datetime
object.scope (List[str]) – If the access token is an
oauth
type the scope claim will be passed as a list of string values.
- property is_expired: bool¶
Has the current time passed the token’s expiration time? Will return False if the current time is within 5 seconds of the token’s expiration time.
- property seconds_remaining: int¶
The number of seconds until the token expires.
Credentials Provider Base Class¶
- class CredentialsProvider¶
The base credentials provider class all other providers should inherit from.
- get_access_token(thread_lock: allocate_lock | None = None) AccessToken ¶
Thread safe method for obtaining the current API access token.
- Returns:
An
AccessToken
object.- Return type:
- Parameters:
thread_lock (allocate_lock | None)
- _request_access_token() AccessToken ¶
This internal method requests a new Jamf Pro access token.
Custom credentials providers should override this method. Refer to the
ApiClientProvider
andUserCredentialsProvider
classes for example implementations.This method must always return an
AccessToken
object.- Returns:
An
AccessToken
object.- Return type:
- _keep_alive() AccessToken ¶
Refresh an access token using the
keep-alive
endpoint.As of Jamf Pro 10.49 this is only supported by user bearer tokens.
This method may be removed in a future update.
- Returns:
An
AccessToken
object.- Return type:
- _refresh_access_token() None ¶
Requests and stores an API access token.
Refresh behavior is determined by the token’s type.
For user bearer tokens, if the cached token’s remaining time is greater than or equal to 60 seconds it will be returned. If the cached token’s remaining time is greater than 5 seconds but less than 60 seconds the token will be refreshed using the
keep-alive
API.For OAuth tokens, if the cached token’s remaining time is greater than or equal to 3 seconds it will be returned.
If the above conditions are not met a new token will be requested.
- Return type:
None