问题
Following are the Points by reference to the Azure Network API:
The following information is common to all tasks:
- Replace {api-version} with 2015-06-15.
- Replace {subscription-id} with your subscription identifier in the URI.
- Replace {resource-group-name} with the resource group. For more information, see Using Resource groups to manage your Azure resources.
- Set the Content-Type header to application/json.
- Set the Authorization header to a JSON Web Token that you obtain from Azure Active Directory.
I am confused about the 5th point. Can you please guide me to how to get access token using Azure Active Directory?
回答1:
Azure Active Directory is built upon the oauth authentication protocols, as defined in RFC 6749 The OAuth 2.0 Authorization Framework
The concept behind using tokens is that you can authenticate to a central authority and then have permissions granted to a separate system without needing to give that system your credentials.
from Service to Service Calls Using Client Credentials
In this case if the server that was called in 3 was compromised, credentials would still be safe, and the attacker would only have access to resources until the token expired. Hence tokens are generally short lived.
You can obtain a token by making a POST request to login.microsoftonline.com with the following content
POST contoso.com/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=625bc9f6-3bf6-4b6d-94ba-e97cf07a22de&client_secret=qkDwDJlDfig2IpeuUZYKH1Wb8q1V0ju6sILxQQqhJ+s=&resource=https%3A%2F%2Fservice.contoso.com%2F
Which will produce the following response
{
"access_token":"eyJhbGciOiJSUzI1NiIsIng1dCI6IjdkRC1{shorted}",
"token_type":"Bearer",
"expires_in":"3599",
"expires_on":"1388452167",
"resource":"https://service.contoso.com/"
}
From this you can take the access token and use it in your application.
This is the authentication flow for Azure and it is not possible to change it to simply use a pre-configured token. Even if you use a certificate you still obtain a token with it and use that to authorise against resources.
回答2:
You need to create an Azure AD service principal and then retrieve the authentication (JWT) token. The sample script below demonstrates creating an Azure AD service principle via PowerShell. For a more detailed walkthrough, please reference the guidance at https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal/#authenticate-service-principal-with-password—powershell. It is also possible to create a service principal via the Azure portal.
$pwd = “[your-service-principle-password]”
$subscriptionId = “[your-azure-subscription-id]”
Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionId $subscriptionId
$azureAdApplication = New-AzureRmADApplication `
-DisplayName “ Demo Web name” `
-HomePage “https://localhost/webdemo” `
-IdentifierUris “https://localhost/webdemo” `
-Password $pwd
New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId
New-AzureRmRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName $azureAdApplication.ApplicationId
$subscription = Get-AzureRmSubscription -SubscriptionId $subscriptionId
$creds = Get-Credential -UserName $azureAdApplication.ApplicationId -Message “Please use your service principle credentials”
Login-AzureRmAccount -Credential $creds -ServicePrincipal -TenantI $subscription.TenantId
Not familiar with GoLang, but you can refer to the following .NET code to retrieve the access token for your application.
public static string GetAccessToken()
{
var authenticationContext = new AuthenticationContext("https://login.windows.net/{tenantId or tenant name}");
var credential = new ClientCredential(clientId: "{client id}", clientSecret: "{application password}");
var result = authenticationContext.AcquireToken(resource: "https://management.core.windows.net/", clientCredential:credential);
if (result == null) {
throw new InvalidOperationException("Failed to obtain the JWT token");
}
string token = result.AccessToken;
return token;
}
来源:https://stackoverflow.com/questions/36981893/how-to-get-access-token-in-azure-for-network-rest-api