Skip to main content

AzureAD bearer tokens, how to get 'em?

People have asked me about above question in many forums, and I personally have used ADAL (Active Directory Authentication Library) to get one. But here i would show you can use simple Http client to get one.

In following example, I would show you how to get  bearer token for Azure Resource manager;

Before you jump in, you must have created AzureAD application and have it assigned desired permissions to Azure Resource Manager.

In olden days it was done through horrible powershell cmdlets, now days its done through new Azure Portal. (it used to be called ServicePrinciap), ServicePrincipal is actually an instance of your app in AzureAD.

So lets come back to recipe:

a) Fire a Http Client of your choice
b) Set POST method to a your token endpoint for your AzureAD tenant URL https://login.microsoftonline.com/<tenant-id>/oauth2/token
c) Set Content-Type : example : Content-Type: application/x-www-form-urlencoded
d)  Set following parameter as part of your request body:

response_type=client_credentials&client_id=<azureadapp_clientId>&client_secret=<azuread_clientSecret>&resource=https%3A%2F%2Fmanagement.azure.com%2F&grant_type=client_credentials

e) Fire :)

{
  "token_type": "Bearer",
  "expires_in": "3600",
  "ext_expires_in": "0",
  "expires_on": "1481060508",
  "not_before": "1481056608",
  "resource": "https://management.azure.com/",
  "access_token": "_BEARER_TOKEN_"
}


In this request result  you should have now received a bearer token, which you can use further towards Azure Resource Manager.


Remember, key "expires_in" is an epoch time format, so you have to make sure that you have to refresh refresh this token before it expires. which is why ADAL is so good and you do not have to think about such things. :-)

Now you can use another Http call to one of your favorite Azure REST apis and use above "bearer" token as part of authorization header; set value; Authorization bearer <_BEARER_TOKE_>

That's it :)

Remember: The above practice is not good for production env. you have responsibility to store client_id , client_secret in a secure place, practicing above things is not recommended in production env. and ADAL should be part of the game. but for learning purposes, its always good to know how things work in background :)



Comments

Popular posts from this blog

NetIQ IDM - SOAP driver -- Handling SOAP service response and manufacturing user association without XSLT

Always pain working with SOAP service and its handling of service response on Query(matching) for user to work with matching policies? Here is the quick wins; without reading  those long lengthy & boring useless SOAP driver blog series at netIQ forums; 1. Make sure you have mapped User class in the schema map with some service attributes 2. Make sure Input and Output policy is registered with all the namespaces you have in your request/response soap messages, example <policy xmlns:soap="http://www.w3.org/2003/05/soap-envelope" 3. I have added operation-data (which is being generated from the Output policy) as part of the SOAP query, but you can skip it if you do not need this. src-dn and association are important to indicate engine for building association.  Operation data will help you to identify operation type and you can carry actions according to it. Inject this on Output ( To support user matching) to send service request: < rule > ...

NetIQ IDM - Adding operation-data to subscriber command transformaiton custom commands

Recently i had to execute EOL cmdlets using psexecute though new NetIQ azure ad driver, since this operation is fire and forget in nature, i would like to track whole request and response for my own generated commands from subscriber command transofrmaiton policy, so i solved it by following policy: < do-set-dest-attr-value direct = "true" name = "psexecute" > < arg-association > < token-resolve datastore = "src" > < arg-dn > < token-text xml:space = "preserve" > {userref} </ token-text > </ arg-dn > </ token-resolve > </ arg-association > < arg-value type = "string" > < token-local-variable name = "cmdlet" /> </ arg-value > </ do-set-dest-attr-value > < do-append-xml-element expression = "../modify[@direct]" na...

Getting into Microsoft Identity Manager ...

Hmm... Microsoft Identity Manager 2010 is out.. but i really wanted to see how the new version is better then its older versions... i have read lots of documentation about FIM2010 and its declarative programming capabilities, MPRs (Management policy rules), workflows, Sets, Group etc, so before touching the fancy parts, i decided to dig into first how the sync-engine or as it previously called MIIS works before doing hands-on with the fancy FIM2010 and the sharepoint based user portal.. Going back to its earlier version and doing hands-on was necessary for me, since FIM2010 documentation always referred the "Classic-rules" as the more powerful then the declarative rules/programming in FIM2010. So i wanted to experience the power into Microsoft IdM before touching the declarative programming(less-power'd) stuff in FIM2010. Having already worked with event-based IdM products such as nOvell identity manager, i was excited to work with the state-based systems such as FIM2010....