[英]Python AAD (Azure Active Directory) Authentication with certificate
I'm trying to get an access token by authenticating my app with AAD via a certificate. 我正在尝试通过证书通过AAD对我的应用进行身份验证来获取访问令牌。 The certificate is installed on my local machine (windows 10).
证书已安装在我的本地计算机上(Windows 10)。 This authentication is needed to access an external API.
访问外部API需要此身份验证。
I'm following the steps posted on Azure Docs 我正在按照Azure Docs上发布的步骤进行操作
Sample code: 样例代码:
def authenticate_client_cert():
"""
Authenticate using service principal w/ cert.
"""
authority_host_uri = 'https://login.microsoftonline.com'
tenant = '<TENANT>'
authority_uri = authority_host_uri + '/' + tenant
resource_uri = 'https://management.core.windows.net/'
client_id = '<CLIENT_ID>'
client_cert = '<CLIENT_CERT>' ### MISSING THIS
client_cert_thumbprint = '<CLIENT_CERT_THUMBPRINT>'
context = adal.AuthenticationContext(authority_uri, api_version=None)
mgmt_token = context.acquire_token_with_client_certificate(resource_uri, client_id, client_cert, client_cert_thumbprint)
credentials = AADTokenCredentials(mgmt_token, client_id)
return credentials
I have '<CLIENT_ID>'
, '<TENANT>'
and '<CLIENT_CERT_THUMBPRINT>'
but I'm missing '<CLIENT_CERT>'
我有
'<CLIENT_ID>'
, '<TENANT>'
和'<CLIENT_CERT_THUMBPRINT>'
但缺少'<CLIENT_CERT>'
From my understanding, '<CLIENT_CERT>'
is the private key but I cannot export the private key because it's not allowed. 据我了解,
'<CLIENT_CERT>'
是私钥,但是由于不允许使用,因此我无法导出私钥。
So I'm not sure how I can get authenticated from AAD with this certificate. 因此,我不确定如何使用此证书从AAD获得身份验证。
If you cannot get the private key, you won't use this cert to get authenticated with AAD. 如果无法获取私钥,则不会使用此证书来通过AAD进行身份验证。 But You can upload a new cert by yourself and use it.
但是您可以自己上传并使用新证书。
The <client_cert>
should be the Name of the key file which you generated. <client_cert>
应该是您生成的密钥文件的名称 。
Here is a documentation about Client credentials with certificate in ADAL for python : 这是有关ADAL for python中带有证书的客户端凭据的文档:
Steps to generate certificate and private key to be used when implementing the client credential flow are as follows:
生成实现客户端凭据流时要使用的证书和私钥的步骤如下:
Generate a key:
生成密钥:
openssl genrsa -out server.pem 2048
Create a certificate request:
创建证书请求:
openssl req -new -key server.pem -out server.csr
Generate a certificate:
生成证书:
openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crt
You will have to upload this certificate (
server.crt
) on Azure Portal in your application settings.您必须在应用程序设置中将此证书(
server.crt
)上传到Azure门户。 Once you save this certificate, the portal will give you the thumbprint of this certificate which is needed in the acquire token call.保存此证书后,门户网站将为您提供在获取令牌调用中需要的该证书的指纹。 The key will be the
server.pem
key you generated in the first step.密钥将是您在第一步中生成的
server.pem
密钥。Now you can create the credential for the client credential flow using certificate in ADAL Python as follows:
现在,您可以使用ADAL Python中的证书为客户端证书流创建证书,如下所示:
client_credentials = { "client_id": <your app id>, "thumbprint": <thumbprint of cert file>, "certificate": <key file name> }
For example: 例如:
{
"resource": "your_resource",
"tenant" : "test.onmicrosoft.com",
"authorityHostUrl" : "https://login.microsoftonline.com",
"clientId" : "d6835713-b745-48d1-bb62-7a8248477d35",
"thumbprint" : 'C15DEA8656ADDF67BE8031D85EBDDC5AD6C436E1',
"certificate" : 'server.pem'
}
Hope this helps! 希望这可以帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.