如何使用Service Principal访问Azure Digital Twin API? [英] How to access azure digital twin API using Service Principal?
问题描述
我的用例是,每当我从Azure函数中的Cosmos DB中获取触发器时,都需要与Azure数字孪生API进行交互,而无需任何人工交互.
通过下面的链接,我了解我们可以使用服务主体来实现它.
下一步是检索服务主体的objectId,这不是应用程序注册的objectId.转到应用程序注册"的概述"选项卡时,您可以复制应用程序ID并在云控制台中执行以下命令:
az ad sp show --id {您复制的ID} 这将显示有关您的服务主体的很多详细信息,包括反对的内容.也复制此内容.几乎在那里,要检索访问令牌,您需要做以下四件事:
- 权限: https://login.microsoftonline.com/ {您的租户ID}
- ClientId:您的应用程序注册的应用程序ID.
- ClientSecret:您创建的客户端密钥.
- DigitalTwinsAppId:始终为0b07f429-9f4b-4714-9392-cc5e8e80c8b0
在.NET Core中获取访问令牌
var authContext = new AuthenticationContext({Authority});var clientCredential = new ClientCredential({ClientId},{ClientSecret});var result = await authContext.AcquireTokenAsync({DigitalTwinsAppId},clientCredential);返回result.AccessToken; 将其添加到标头(下面的HttpClient示例)中,一切顺利!
httpClient.DefaultRequestHeaders.Add("Authorization","Bearer" + accessToken); My use case is whenever i get a trigger from Cosmos DB in Azure functions, need to interact with Azure digital twin APIs without any human interaction.
From the below link, I understood we can use service principal to achieve it.
Is it possible to configure Azure Digital Twins API access for a Daemon App?
But I don't know how to authenticate service principal with digital twin APIs.
1)What type of authentication is required and how the flow will be?
2)If it is Oauth2, what is the grant type and scope for accessing digital twin?
Thanks in advance.
There is an (almost) undocumented way to use the Digital Twins API without an On-Behalf-Of flow. I use it for automated tasks to manipulate the contents of ADT or to give certain applications read-only view of the data. It all starts with a role assignment. See this snippet from the YAML that I use to provision my ADT instance when I first make it.
- roleId: 98e44ad7-28d4-4007-853b-b9968ad132d1 # Space Administrator
objectId: abcd1234-5556-44a2-1234-402dbd999619 # Service Principal object ID
objectIdType: ServicePrincipalId
tenantId: 1234567-8901-2345-abcd-123456789 # Azure subscription tenant
The ServicePrincipalId object type is described on this page but is never mentioned in any of the samples again. This snippet gives Space Administrator rights to a service principal. You can then use a client secret to retrieve an access token that will allow you access to ADT. When making an app registration for ADT in your Azure Active Directory, go to Certificates & Secrets and make a new client secret.
The next step is to retrieve the objectId of the Service Principal, this is not the objectId of the application registration. When you go to the Overview tab of your App Registration you can copy the Application ID and perform the following command in the cloud console:
az ad sp show --id {the id you copied}
This will show a lot of details about your Service Principal including the objected. Copy this as well. Almost there, to retrieve an Access Token you need 4 things:
- Authority: https://login.microsoftonline.com/{your tenant id}
- ClientId: The application id of your app registration.
- ClientSecret: The client secret you created.
- DigitalTwinsAppId: This is always 0b07f429-9f4b-4714-9392-cc5e8e80c8b0
Retrieving the Access Token in .NET Core
var authContext = new AuthenticationContext({Authority});
var clientCredential = new ClientCredential({ClientId}, {ClientSecret});
var result = await authContext.AcquireTokenAsync({DigitalTwinsAppId}, clientCredential);
return result.AccessToken;
Add that to your headers (HttpClient example below) and you are good to go!
httpClient.DefaultRequestHeaders.Add("Authorization", "Bearer " + accessToken);
这篇关于如何使用Service Principal访问Azure Digital Twin API?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
