Python AAD (Azure Active Directory) 证书身份验证
Python AAD (Azure Active Directory) Authentication with certificate
我正在尝试通过证书使用 AAD 对我的应用程序进行身份验证来获取访问令牌。证书安装在我的本地机器上 (windows 10)。需要此身份验证才能访问外部 API.
我正在按照 Azure Docs
上发布的步骤进行操作
示例代码:
def authenticate_client_cert():
"""
Authenticate using service principal w/ cert.
"""
authority_host_uri = 'https://login.microsoftonline.com'
tenant = '<TENANT>'
authority_uri = authority_host_uri + '/' + tenant
resource_uri = 'https://management.core.windows.net/'
client_id = '<CLIENT_ID>'
client_cert = '<CLIENT_CERT>' ### MISSING THIS
client_cert_thumbprint = '<CLIENT_CERT_THUMBPRINT>'
context = adal.AuthenticationContext(authority_uri, api_version=None)
mgmt_token = context.acquire_token_with_client_certificate(resource_uri, client_id, client_cert, client_cert_thumbprint)
credentials = AADTokenCredentials(mgmt_token, client_id)
return credentials
我有 '<CLIENT_ID>'、'<TENANT>' 和 '<CLIENT_CERT_THUMBPRINT>'
,但我缺少 '<CLIENT_CERT>'
根据我的理解,'<CLIENT_CERT>' 是私钥,但我不能导出私钥,因为它是不允许的。
所以我不确定如何使用此证书从 AAD 进行身份验证。
如果您无法获得私钥,您将无法使用此证书通过 AAD 进行身份验证。但是你可以自己上传一个新的证书并使用它。
<client_cert> 应该是您生成的密钥文件的名称。
这是关于 Client credentials with certificate in ADAL for python 的文档:
Steps to generate certificate and private key to be used when
implementing the client credential flow are as follows:
Generate a key:
openssl genrsa -out server.pem 2048
Create a certificate request:
openssl req -new -key server.pem -out server.csr
Generate a certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.pem -out
server.crt
You will have to upload this certificate (server.crt) on Azure
Portal in your application settings. Once you save this certificate,
the portal will give you the thumbprint of this certificate which is
needed in the acquire token call. The key will be the server.pem key
you generated in the first step.
Now you can create the credential for the client credential flow using
certificate in ADAL Python as follows:
client_credentials = {
"client_id": <your app id>,
"thumbprint": <thumbprint of cert file>,
"certificate": <key file name>
}
例如:
{
"resource": "your_resource",
"tenant" : "test.onmicrosoft.com",
"authorityHostUrl" : "https://login.microsoftonline.com",
"clientId" : "d6835713-b745-48d1-bb62-7a8248477d35",
"thumbprint" : 'C15DEA8656ADDF67BE8031D85EBDDC5AD6C436E1',
"certificate" : 'server.pem'
}
希望对您有所帮助!
我正在尝试通过证书使用 AAD 对我的应用程序进行身份验证来获取访问令牌。证书安装在我的本地机器上 (windows 10)。需要此身份验证才能访问外部 API.
我正在按照 Azure Docs
上发布的步骤进行操作示例代码:
def authenticate_client_cert():
"""
Authenticate using service principal w/ cert.
"""
authority_host_uri = 'https://login.microsoftonline.com'
tenant = '<TENANT>'
authority_uri = authority_host_uri + '/' + tenant
resource_uri = 'https://management.core.windows.net/'
client_id = '<CLIENT_ID>'
client_cert = '<CLIENT_CERT>' ### MISSING THIS
client_cert_thumbprint = '<CLIENT_CERT_THUMBPRINT>'
context = adal.AuthenticationContext(authority_uri, api_version=None)
mgmt_token = context.acquire_token_with_client_certificate(resource_uri, client_id, client_cert, client_cert_thumbprint)
credentials = AADTokenCredentials(mgmt_token, client_id)
return credentials
我有 '<CLIENT_ID>'、'<TENANT>' 和 '<CLIENT_CERT_THUMBPRINT>'
,但我缺少 '<CLIENT_CERT>'
根据我的理解,'<CLIENT_CERT>' 是私钥,但我不能导出私钥,因为它是不允许的。
所以我不确定如何使用此证书从 AAD 进行身份验证。
如果您无法获得私钥,您将无法使用此证书通过 AAD 进行身份验证。但是你可以自己上传一个新的证书并使用它。
<client_cert> 应该是您生成的密钥文件的名称。
这是关于 Client credentials with certificate in ADAL for python 的文档:
Steps to generate certificate and private key to be used when implementing the client credential flow are as follows:
Generate a key:
openssl genrsa -out server.pem 2048Create a certificate request:
openssl req -new -key server.pem -out server.csrGenerate a certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crtYou will have to upload this certificate (
server.crt) on Azure Portal in your application settings. Once you save this certificate, the portal will give you the thumbprint of this certificate which is needed in the acquire token call. The key will be theserver.pemkey you generated in the first step.Now you can create the credential for the client credential flow using certificate in ADAL Python as follows:
client_credentials = { "client_id": <your app id>, "thumbprint": <thumbprint of cert file>, "certificate": <key file name> }
例如:
{
"resource": "your_resource",
"tenant" : "test.onmicrosoft.com",
"authorityHostUrl" : "https://login.microsoftonline.com",
"clientId" : "d6835713-b745-48d1-bb62-7a8248477d35",
"thumbprint" : 'C15DEA8656ADDF67BE8031D85EBDDC5AD6C436E1',
"certificate" : 'server.pem'
}
希望对您有所帮助!