带有证书的Python AAD(Azure Active Directory)身份验证
[英]Python AAD (Azure Active Directory) Authentication with certificate
问题描述
I'm trying to get an access token by authenticating my app with AAD via a certificate. 
我正在尝试通过证书通过AAD对我的应用进行身份验证来获取访问令牌。 The certificate is installed on my local machine (windows 10). 证书已安装在我的本地计算机上(Windows 10)。 This authentication is needed to access an external API. 访问外部API需要此身份验证。
I'm following the steps posted on Azure Docs 我正在按照Azure Docs上发布的步骤进行操作
Sample code: 样例代码:
def authenticate_client_cert():
"""
Authenticate using service principal w/ cert.
"""
authority_host_uri = 'https://login.microsoftonline.com'
tenant = '<TENANT>'
authority_uri = authority_host_uri + '/' + tenant
resource_uri = 'https://management.core.windows.net/'
client_id = '<CLIENT_ID>'
client_cert = '<CLIENT_CERT>' ### MISSING THIS
client_cert_thumbprint = '<CLIENT_CERT_THUMBPRINT>'
context = adal.AuthenticationContext(authority_uri, api_version=None)
mgmt_token = context.acquire_token_with_client_certificate(resource_uri, client_id, client_cert, client_cert_thumbprint)
credentials = AADTokenCredentials(mgmt_token, client_id)
return credentials
I have '<CLIENT_ID>' , '<TENANT>' and '<CLIENT_CERT_THUMBPRINT>' but I'm missing '<CLIENT_CERT>' 我有'<CLIENT_ID>' , '<TENANT>'和'<CLIENT_CERT_THUMBPRINT>'但缺少'<CLIENT_CERT>'
From my understanding, '<CLIENT_CERT>' is the private key but I cannot export the private key because it's not allowed. 据我了解, '<CLIENT_CERT>'是私钥,但是由于不允许使用,因此我无法导出私钥。
So I'm not sure how I can get authenticated from AAD with this certificate. 因此,我不确定如何使用此证书从AAD获得身份验证。
1 个解决方案
解决方案1
1 已采纳 2018-06-06 02:16:49
If you cannot get the private key, you won't use this cert to get authenticated with AAD. 如果无法获取私钥,则不会使用此证书来通过AAD进行身份验证。 But You can upload a new cert by yourself and use it. 但是您可以自己上传并使用新证书。
The <client_cert> should be the Name of the key file which you generated. <client_cert>应该是您生成的密钥文件的名称 。
Here is a documentation about Client credentials with certificate in ADAL for python : 这是有关ADAL for python中带有证书的客户端凭据的文档:
Steps to generate certificate and private key to be used when implementing the client credential flow are as follows:
Generate a key:
openssl genrsa -out server.pem 2048Create a certificate request:
openssl req -new -key server.pem -out server.csrGenerate a certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crtYou will have to upload this certificate (
server.crt) on Azure Portal in your application settings.server.crt)上传到Azure门户。 Once you save this certificate, the portal will give you the thumbprint of this certificate which is needed in the acquire token call.server.pemkey you generated in the first step.server.pem密钥。Now you can create the credential for the client credential flow using certificate in ADAL Python as follows:
client_credentials = { "client_id": <your app id>, "thumbprint": <thumbprint of cert file>, "certificate": <key file name> }
For example: 例如:
{
"resource": "your_resource",
"tenant" : "test.onmicrosoft.com",
"authorityHostUrl" : "https://login.microsoftonline.com",
"clientId" : "d6835713-b745-48d1-bb62-7a8248477d35",
"thumbprint" : 'C15DEA8656ADDF67BE8031D85EBDDC5AD6C436E1',
"certificate" : 'server.pem'
}
Hope this helps! 希望这可以帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.