使用Azure Active Directory Oauth的Azure服务管理API身份验证 [英] Azure Service Management API authentication using Azure Active Directory Oauth

问题描述

我想使用Azure AD通过curl验证Azure服务管理API。

我或某种其他方法来获取用户令牌。

I'd like to authenticate to the Azure Service Management API using Azure AD through curl.

I set up an application within my default directory. In this free trial subcription that's the only directory I have.

When I target the oauth token endpoint I receive a JWT.

curl --data "grant_type=client_credentials&client_id=<my_client_id>&client_secret=<my_encoded_secret>&resource=https%3A%2F%2Fmanagement.core.windows.net" https://login.windows.net/<my_tenant_id>/oauth2/token

But when I use that token to list my subscription details I receive an error:

curl -H "x-ms-version: 2014-06-01" \
     -H "Authorization: Bearer <my_token>" \
     https://management.core.windows.net/<my_subscription_id>/

    <Error xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
      <Code>ForbiddenError</Code>
      <Message>The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.</Message>
    </Error>

I have granted permissions to the Service Management API for the application as "Delegated permissions", because "Application permissions" are not available.

What am I missing?

解决方案

This isn't possible due to the Application Permissions: 0 setting for the Service Management API. The client_credentials grant type uses credentials from the application (client_id and client_secret), and since the application does not have permissions for this API the call fails.

Since the Service Management API will not allow application permissions of any kind, we must use the authorization_code grant type or some other method to obtain a user token.

这篇关于使用Azure Active Directory Oauth的Azure服务管理API身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！