diff --git a/sample/confidential_client_certificate_sample.py b/sample/confidential_client_certificate_sample.py new file mode 100644 index 00000000..4c21ee32 --- /dev/null +++ b/sample/confidential_client_certificate_sample.py @@ -0,0 +1,64 @@ +""" +The configuration file would look like this (sans those // comments): + +{ + "authority": "https://login.microsoftonline.com/organizations", + "client_id": "your_client_id", + "scope": ["https://graph.microsoft.com/.default"], + // For more information about scopes for an app, refer: + // https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate" + + "thumbprint": "790E... The thumbprint generated by AAD when you upload your public cert", + "private_key_file": "filename.pem" + // For information about generating thumbprint and private key file, refer: + // https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Client-Credentials#client-credentials-with-certificate +} + +You can then run this sample with a JSON configuration file: + + python sample.py parameters.json +""" + +import sys # For simplicity, we'll read config file from 1st CLI param sys.argv[1] +import json +import logging + +import msal + + +# Optional logging +# logging.basicConfig(level=logging.DEBUG) + +config = json.load(open(sys.argv[1])) + +# Create a preferably long-lived app instance which maintains a token cache. +app = msal.ConfidentialClientApplication( + config["client_id"], authority=config["authority"], + client_credential={"thumbprint": config["thumbprint"], "private_key": open(config['private_key_file']).read()}, + # token_cache=... # Default cache is in memory only. + # You can learn how to use SerializableTokenCache from + # https://msal-python.rtfd.io/en/latest/#msal.SerializableTokenCache + ) + +# The pattern to acquire a token looks like this. +result = None + +# Firstly, looks up a token from cache +# Since we are looking for token for the current app, NOT for an end user, +# notice we give account parameter as None. +result = app.acquire_token_silent(config["scope"], account=None) + +if not result: + logging.info("No suitable token exists in cache. Let's get a new one from AAD.") + result = app.acquire_token_for_client(scopes=config["scope"]) + +if "access_token" in result: + print(result["access_token"]) + print(result["token_type"]) + print(result["expires_in"]) # You don't normally need to care about this. + # It will be good for at least 5 minutes. +else: + print(result.get("error")) + print(result.get("error_description")) + print(result.get("correlation_id")) # You may need this when reporting a bug + diff --git a/sample/client_credential_sample.py b/sample/confidential_client_secret_sample.py similarity index 74% rename from sample/client_credential_sample.py rename to sample/confidential_client_secret_sample.py index 59d90b5c..3897c54c 100644 --- a/sample/client_credential_sample.py +++ b/sample/confidential_client_secret_sample.py @@ -1,11 +1,17 @@ """ -The configuration file would look like this: +The configuration file would look like this (sans those // comments): { "authority": "https://login.microsoftonline.com/organizations", "client_id": "your_client_id", "scope": ["https://graph.microsoft.com/.default"], - "secret": "This is a sample only. You better NOT persist your password." + // For more information about scopes for an app, refer: + // https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate" + + "secret": "The secret generated by AAD during your confidential app registration" + // For information about generating client secret, refer: + // https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Client-Credentials#registering-client-secrets-using-the-application-registration-portal + } You can then run this sample with a JSON configuration file: