Get Azure Active Directory refresh token for ACR

Question

I've been trying to use the AAD interactive authentication flow in order to list the images in a given Azure Container Registry instance (as detailed here ), which requires both the AAD access token and the AAD refresh token in order to get the refresh/access tokens of the resource itself.

I've assumed that the required AAD access token is a simple access token to 'management.azure.com', which I retrieve with the following code:

from azure.identity import DefaultAzureCredential, InteractiveBrowserCredential
credentials = InteractiveBrowserCredential()
aad_access_token = credentials.get_token('https://management.azure.com/.default')

Which returns a normal access token (eg "eyJ0eX..."). However, I couldn't find any references to fetching a refresh token programmatically; It seems that all Azure SDKs take care of that in the background. Is there any way to get this token, as the authentication flow to the resource itself (ACR) requires both tokens?

If any other programmatic way exists to list the container images without the refresh token, I'll be more than happy to give it a shot.

Also important to note - I am working in an environment where Azure CLI is not functioning, so I must use python SDKs or similar tools and not count on system commands such as 'az login' or 'az get credentials'.

Answer 1

So I had a few misunderstandings regarding the functionality of refresh and access tokens with AAD and Azure resources. With a bit of trial and error, I've found that the following code works just fine:

import requests
from azure.identity import InteractiveBrowserCredential
from pprint import pprint

CATALOG_SCOPE = "registry:catalog:*"
AZURE_MANAGEMENT_SCOPE_URL = 'https://management.azure.com/.default'
ACR_URL = "YOUR_REPO.azurecr.io"


def get_aad_access_token():
    cred = InteractiveBrowserCredential()
    aad_access_token = cred.get_token(AZURE_MANAGEMENT_SCOPE_URL)
    return aad_access_token.token


def get_acr_refresh_token(acr_url, aad_access_token):
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
    }

    data = {
        'grant_type': 'access_token',
        'service': acr_url,
        'access_token': aad_access_token
    }

    response = requests.post(f'https://{acr_url}/oauth2/exchange', headers=headers, data=data)
    acr_refresh_token = json.loads(response.content)
    # pprint(response.__dict__)
    return acr_refresh_token['refresh_token']


def get_acr_access_token(acr_refresh_token, acr_url, scope):
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
    }

    data = {
        'grant_type': 'refresh_token',
        'service': acr_url,
        'scope': scope,
        'refresh_token': acr_refresh_token
    }

    response = requests.post(f'https://{acr_url}/oauth2/token', headers=headers, data=data)
    # pprint(response.__dict__)
    acr_access_token = json.loads(response.content)
    return acr_access_token['access_token']


def list_acr_images(acr_url):
    operation = "/v2/_catalog/"
    aad_access_token = get_aad_access_token()
    acr_refresh_token = get_acr_refresh_token(acr_url, aad_access_token)
    acr_access_token = get_acr_access_token(acr_refresh_token, acr_url, CATALOG_SCOPE)

    headers = {
        'Authorization': f"Bearer {acr_access_token}",
    }

    response = requests.post(f'https://{acr_url}{operation}', headers=headers)
    return json.loads(response.content)


if __name__ == '__main__':
    pprint(list_acr_images(ACR_URL))