Reputation: 1755
Python AAD (Azure Active Directory) Authentication with certificate
I'm trying to get an access token by authenticating my app with AAD via a certificate. The certificate is installed on my local machine (windows 10). This authentication is needed to access an external API.
I'm following the steps posted on Azure Docs
Sample code:
def authenticate_client_cert():
"""
Authenticate using service principal w/ cert.
"""
authority_host_uri = 'https://login.microsoftonline.com'
tenant = '<TENANT>'
authority_uri = authority_host_uri + '/' + tenant
resource_uri = 'https://management.core.windows.net/'
client_id = '<CLIENT_ID>'
client_cert = '<CLIENT_CERT>' ### MISSING THIS
client_cert_thumbprint = '<CLIENT_CERT_THUMBPRINT>'
context = adal.AuthenticationContext(authority_uri, api_version=None)
mgmt_token = context.acquire_token_with_client_certificate(resource_uri, client_id, client_cert, client_cert_thumbprint)
credentials = AADTokenCredentials(mgmt_token, client_id)
return credentials
I have '<CLIENT_ID>', '<TENANT>' and '<CLIENT_CERT_THUMBPRINT>'
but I'm missing '<CLIENT_CERT>'
From my understanding, '<CLIENT_CERT>' is the private key but I cannot export the private key because it's not allowed.
So I'm not sure how I can get authenticated from AAD with this certificate.
Upvotes: 1
Views: 3536
Answers (1)
Reputation: 9411
If you cannot get the private key, you won't use this cert to get authenticated with AAD. But You can upload a new cert by yourself and use it.
The <client_cert> should be the Name of the key file which you generated.
Here is a documentation about Client credentials with certificate in ADAL for python:
Steps to generate certificate and private key to be used when implementing the client credential flow are as follows:
Generate a key:
openssl genrsa -out server.pem 2048Create a certificate request:
openssl req -new -key server.pem -out server.csrGenerate a certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crtYou will have to upload this certificate (
server.crt) on Azure Portal in your application settings. Once you save this certificate, the portal will give you the thumbprint of this certificate which is needed in the acquire token call. The key will be theserver.pemkey you generated in the first step.Now you can create the credential for the client credential flow using certificate in ADAL Python as follows:
client_credentials = { "client_id": <your app id>, "thumbprint": <thumbprint of cert file>, "certificate": <key file name> }
For example:
{
"resource": "your_resource",
"tenant" : "test.onmicrosoft.com",
"authorityHostUrl" : "https://login.microsoftonline.com",
"clientId" : "d6835713-b745-48d1-bb62-7a8248477d35",
"thumbprint" : 'C15DEA8656ADDF67BE8031D85EBDDC5AD6C436E1',
"certificate" : 'server.pem'
}
Hope this helps!
Upvotes: 2
Related Questions
- Python azure-identity ClientSecretCredential
- Programmatically authenticate in Azure with MFA
- Alternative to AADCredentials in Python azure.identity
- Setting Azure EnvironmentCredential()
- Python HTTPS-requests using azure AAD authentication token. Or python version of CreateAuthorizationHeader()
- Creating an Azure certificate in Python
- Azure ADAL authentication using python
- Azure AD Authentication through Python Web API
- Azure AD / Python AA
- ssl certificate authentication in python