重用从InteractiveBrowserCredential获得的令牌 [英] Reusing a token obtained from InteractiveBrowserCredential

问题描述

我正在运行以下代码以从InteractiveBrowserCreedentail获取Bearer令牌并登录到Azure Blob存储:

I am running this code to obtain a Bearer token from the InteractiveBrowserCreedentail and log in to azure blob storage:

cred = InteractiveBrowserCredential(authority="login.microsoftonline.com", tenant_id="**", client_id="**")
token = cred.get_token()

print(token)

blobber = BlobServiceClient(account_url="https://**.blob.core.windows.net", credential=cred)

blobs = blobber.list_containers()
for b in blobs:
    print(b)

这很好.

我正在尝试在另一个呼叫中重用令牌，这一次是直接的休息互动:

I am trying to reuse the token in another call, this time a direct rest interaction:

import requests

auth_header = ("Authorization", "Bearer " + "***")
version = ("x-ms-version", "2017-11-09")
response = requests.get("https://***.blob.core.windows.net/?comp=list", headers=dict([auth_header, version]))

我收到403回复:

Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

根据官方文档，这应该可以正常工作.

According to official documentation, this should be working.

我想念什么?

推荐答案

根据我的研究，当您请求AD访问令牌并调用Azure blob存储时，作用域必须包含https://storage.azure.com/user_impersonation或https://storage.azure.com/.default.有关更多详细信息，请参阅文档.换句话说，请求网址应类似于

According to my research, when you request AD access token and call Azure blob storage, the scope must contain https://storage.azure.com/user_impersonation or https://storage.azure.com/.default. For more details, please refer to the document. In other words, the request url should be like

https://login.microsoftonline.com/<tenat id>/oauth2/v2.0/authorize?client_id=<>
&scope=https://storage.azure.com/user_impersonation
&...

但是当我运行cred.get_token()时，请求网址如下所示.范围不包含https://storage.azure.com/user_impersonation或https://storage.azure.com/.default.因此，您无法使用令牌调用Azure Blob rest api.

But when I run the cred.get_token(), the request url just be like below. The scope does not contain https://storage.azure.com/user_impersonation or https://storage.azure.com/.default. So you cannot call Azure Blob rest api with the token.

https://login.microsoftonline.com/<tenat id>/oauth2/v2.0/authorize?
client_id=<>
&scope=offline_access openid profile&state=204238ac-4fcd-44f2-9eed-528ab4d9c37
&...

同时，我进行测试，如果我们运行代码blob_service_client = BlobServiceClient(account_url="https://blobstorage0516.blob.core.windows.net/", credential=cred)，则请求网址为

Meanwhile, I do test, if we run the code blob_service_client = BlobServiceClient(account_url="https://blobstorage0516.blob.core.windows.net/", credential=cred), the request url is

https://login.microsoftonline.com/<tenat id>/oauth2/v2.0/authorize?
client_id=<>
&scope=https://storage.azure.com/.default offline_access openid profile&state=204238ac-4fcd-44f2-9eed-528ab4d9c37
&...

这篇关于重用从InteractiveBrowserCredential获得的令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！