如何使用客户端密码通过 Powershell 访问 Azure WebApp
[英]How to access Azure WebApp via Powershell using client secret
问题描述
I have created an WebApp in Azure with Azure Authentication enabled.
我在 Azure 中创建了一个启用了 Azure 身份验证的 WebApp。 This works as expected when authenticating using a user.这在使用用户进行身份验证时按预期工作。 But the WebApp has one specific endpoint that excepts posting JSON data so it can be parsed and represented into a Chart.但是 WebApp 有一个特定的端点,除了发布 JSON 数据之外,它可以被解析并表示为图表。 What I'd like to do is post this data that has been collected by numerous Powershell script.我想做的是发布这些由众多 Powershell 脚本收集的数据。 I can do that if I run the Powershell scripts in the context of a user account, but I would like to authenticate with an SPN (so using the Application ID and the secret key that has been set).如果我在用户帐户的上下文中运行 Powershell 脚本,我可以做到这一点,但我想使用 SPN 进行身份验证(因此使用应用程序 ID 和已设置的密钥)。 Is this even possible?这甚至可能吗? I've tried the code below, which actually does obtain an access token, but when sending it in the header of the post request, I get an我已经尝试了下面的代码,它实际上确实获得了访问令牌,但是在发布请求的标头中发送它时,我得到了一个
"You do not have permission to view this directory or page."
error message.错误信息。
$RequestAccessTokenUri = "https://login.microsoftonline.com/tenantID/oauth2/token"
$ClientId = "Application Id"
$ClientSecret = "Client Secret"
$Resource = "URL of the WebApp"
$body = "grant_type=client_credentials&client_id=$ClientId&client_secret=$ClientSecret&resource=$Resource"
$Token = Invoke-RestMethod -Method Post -Uri $RequestAccessTokenUri -Body $body -ContentType 'application/x-www-form-urlencoded'
$Headers = @{}
$Headers.Add("Authorization","$($Token.token_type) $($Token.access_token)")
$AppUri = $Resource + "/upload/post"
$json = <This will contain the actual JSON objects that will be posted>
invoke-RestMethod -Uri $AppUri -Method Post -Headers $Headers -body $json
Is it even possible to gain access from Powershell to an Azure WebApp by authenticating using an SPN?通过使用 SPN 进行身份验证,是否甚至可以从 Powershell 访问 Azure WebApp? Any help will be much appreciated.任何帮助都感激不尽。
1 个解决方案
解决方案1
0 已采纳 2020-02-07 03:52:56
Is it even possible to gain access from Powershell to an Azure WebApp by authenticating using an SPN?
Yes, it is possible.对的,这是可能的。 But we need to use a session token(not access token) to access app resources.但是我们需要使用会话令牌(而不是访问令牌)来访问应用程序资源。
User the access token to get authenticationToken .使用访问令牌获取authenticationToken 。
Request:要求:
POST https://<appname>.azurewebsites.net/.auth/login/aad HTTP/1.1
Content-Type: application/json
{"id_token":"<token>","access_token":"<token>"}
Response:回复:
{
"authenticationToken": "...",
"user": {
"userId": "sid:..."
}
}
Once you have this session token, you can access protected app resources by adding the X-ZUMO-AUTH header to your HTTP requests获得此会话令牌后,您可以通过将X-ZUMO-AUTH标头添加到 HTTP 请求来访问受保护的应用程序资源
GET https://<appname>.azurewebsites.net/api/products/1
X-ZUMO-AUTH: <authenticationToken_value>
Here is the working powershell script.这是有效的 powershell 脚本。
$RequestAccessTokenUri = "https://login.microsoftonline.com/{tenantId}/oauth2/token"
$ClientId = "{Application Id}"
$ClientSecret = "{client secret}"
$Resource = "{Application Id}"
$body = "grant_type=client_credentials&client_id=$ClientId&client_secret=$ClientSecret&resource=$Resource"
$Token = Invoke-RestMethod -Method Post -Uri $RequestAccessTokenUri -Body $body -ContentType 'application/x-www-form-urlencoded'
#get authentication token url
$RequestAuthenticationTokenUri="https://webapi-productsapp2093.azurewebsites.net/.auth/login/aad"
$bodystr = "{" + '"' + "access_token" + '"' + ":" + '"' + $Token.access_token + '"' + "}"
$authenticationToken=Invoke-RestMethod -Method Post -Uri $RequestAuthenticationTokenUri -Body $bodystr -ContentType 'application/json'
$Headers = @{}
$Headers.Add("X-ZUMO-AUTH",$authenticationToken.authenticationToken)
$website="http://webapi-productsapp2093.azurewebsites.net/api/products/1"
invoke-RestMethod -Uri $website -Method Get -Headers $Headers
Reference:参考:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.