Python azure-identity ClientSecretCredential

Question

I’m trying to get an access token via the azure-identity python package for accessing an Azure Service. I done the app registration in the Azure AD and I got the following C# code, which works as expected:

private static async Task<string> GetAccessToken(string aasUrl)
{
    var tenantId = "<>";
    var appId = "<>";
    var appSecret = <>;
    string authorityUrl = $"https://login.microsoftonline.com/{tenantId}";

    var authContext = new AuthenticationContext(authorityUrl);

    // Config for OAuth client credentials 
    var clientCred = new ClientCredential(appId, appSecret);
    AuthenticationResult authenticationResult = await authContext.AcquireTokenAsync(aasUrl, clientCred);

    //get access token
    return authenticationResult.AccessToken;
}

But when I try to redo the C# in python, I can’t get the get_token(scode:str) to work…I simply do not get what scope to pass into the get_token function.

from azure.identity import ClientSecretCredential

authority = 'https://login.microsoftonline.com'

credential = ClientSecretCredential(tenant_id, client_id, client_secret, authority=authority)

token = credential.get_token(scope:str) #scope?

When I use the .net Microsoft.IdentityModel.Clients.ActiveDirectory library I don’t have to think about scope.

Answer 1

When I use the .net Microsoft.IdentityModel.Clients.ActiveDirectory library I don’t have to think about scope.

Actually, you have thought about it. When you use the code below via .net sdk, there is an aasUrl, this is the equivalent you need to specify in python sdk.

AuthenticationResult authenticationResult = await authContext.AcquireTokenAsync(aasUrl, clientCred);

With Microsoft.IdentityModel.Clients.ActiveDirectory, the method AcquireTokenAsync essentially uses the Azure AD client credential flow v1.0 endpoint to get the token, so this parameter is named as resource, i.e. the resource parameter in this method AcquireTokenAsync(String, ClientCredential).

In python sdk azure.identity, this method get_token essentially uses Azure AD client credential flow v2.0 endpoint to get the token, when v1.0 endpoint migrates to v2.0, there are some changes, one of them is the resource, it changed to scope, see this doc. When using scope, you need to specify the permission you want to access, you can also use /.default, then by default all the permissions added to the app will be requested.

So in your case, you just need to use the scope as aasUrl/.default, e.g. https://management.azure.com/.default, it depends on yourself.

token = credential.get_token("https://management.azure.com/.default")

Also have a test with the code on my side, it works fine.

Answer 2

if you are using Graph API you could use as

https://graph.microsoft.com/.default

https://graph.microsoft.com/Directory.Read

https://graph.microsoft.com/user_impersonation

if you are using Azure Resource Manager API then the base uri would be https://management.core.windows.net followed by the necessary permission.

If you want to acquire a token for all the static scopes of a v1.0 application, append ".default" to the app ID URI of the API

You Will see the APP Id uri in the Application Overview page

if you have not created app id uri, you set the uri and add permission scope

Answer 3

I am using azure-identity 1.6.1 and Python 3.7 version and I had to make couple of more changes to the solution mentioned above by @Joy Wang-MSFT

for retrieving the token, I had to use just .default

token = clientcredential.get_token(".default")

But one issue with this one was the token retreived did not come out with the roles.

So finally using the client_id/app_id , worked for me and the token had roles as well

token = clientcredential.get_token("{client_id}/.default")