問(wèn)題描述
使用Python代碼,展示如何從Azure AD 中獲取目標(biāo)資源的 Access Token。
如要了解如何從AAD中獲取 client id是钥,client secret讥巡,tenant id,請(qǐng)參考博文:【Azure Developer】Python代碼通過(guò)AAD認(rèn)證訪問(wèn)微軟Azure密鑰保管庫(kù)(Azure Key Vault)中機(jī)密信息(Secret)* 中的操作步驟一欄趴樱。*
代碼展示
獲取方式一:使用 azure.identity
1)調(diào)用 ClientSecretCredential 方法馒闷,通過(guò)client_id, client_secret 叁征,tenant_id 以及 authority=AzureAuthorityHosts.AZURE_CHINA纳账,初始化 credentials 對(duì)象
2)調(diào)用對(duì)象中的 get_token方法,特別注意參數(shù) scopes 的傳遞捺疼,如 "https://microsoftgraph.chinacloudapi.cn/.default", 如果缺少.default疏虫,則會(huì)提示參數(shù)錯(cuò)誤(詳見[遇見問(wèn)題]部分)
print("方式一: ClientSecretCredential")
from azure.identity import ClientSecretCredential
credentials = ClientSecretCredential(client_id='xxxxxxxx-xxxx-xxxx-xxxx-76f50363af33', client_secret='.~V9ij1.5Y_F8rL_k8DNpj~RSLFf~H56nH', tenant_id='xxxxxxxx-xxxx-xxxx-xxxx-1316152d9587',authority=AzureAuthorityHosts.AZURE_CHINA)
token =credentials.get_token("https://microsoftgraph.chinacloudapi.cn/.default")
print(token)
調(diào)用方式二:使用 azure.common.credentials
調(diào)用 ServicePrincipalCredentials 方法,同樣通過(guò)參數(shù) client_id, secret, tenant, resource 和 china='true' 啤呼, 初始化 credentials 對(duì)象
解析credentials對(duì)象卧秘,獲取Token中的 access_token屬性值。credentials.token['access_token']
print("方式二: ServicePrincipalCredentials")
from azure.common.credentials import ServicePrincipalCredentials
credentials = ServicePrincipalCredentials(client_id='xxxxxxxx-xxxx-xxxx-xxxx-76f50363af33', secret='.~xxxx.xxxx~xxxx~xxxx', tenant='xxxxxxxx-xxxx-xxxx-xxxx-1316152d9587', resource='https://microsoftgraph.chinacloudapi.cn/', china='true')
access_token = credentials.token['access_token']
print(access_token)
方式一和方式二執(zhí)行的結(jié)果相同
PS: 使用 https://jwt.io/ 可以Decoded token 內(nèi)容官扣。已可讀方式查看翅敌。
遇見問(wèn)題
錯(cuò)誤一:get_token 提示 requires at least one scope。
Traceback (most recent call last):
File "client.py", line 7, in <module>
print(credentials.get_token(scopes=""))
File "C:\Users\bulu\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.8_qbz5n2kfra8p0\LocalCache\local-packages\Python38\site-packages\azure\identity\_internal\get_token_mixin.py", line 64, in get_tokent_token_mixin.py", line 64,
in get_token raise ValueError('"get_token" requires at least one scope')
ValueError: "get_token" requires at least one scope
錯(cuò)誤的原因就是輸入的scope參數(shù)不正確惕蹄。需要輸入“https://microsoftgraph.chinacloudapi.cn/.default" 攜帶.default蚯涮。
The /.default scope is built in for every application that refers to the static list of permissions configured on the application registration. Source: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#the-default-scope
參考資料
The /.default scope: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#the-default-scope
identity Package: https://docs.microsoft.com/zh-cn/python/api/azure-identity/azure.identity?view=azure-python
AzureAuthorityHosts Class:https://docs.microsoft.com/zh-cn/python/api/azure-identity/azure.identity.azureauthorityhosts?view=azure-python
當(dāng)在復(fù)雜的環(huán)境中面臨問(wèn)題,格物之道需:濁而靜之徐清卖陵,安以動(dòng)之徐生遭顶。 云中,恰是如此!
標(biāo)簽: azure.identity 和 azure.common.credentials, azure python, Azure Developer
