def get_client_assertion(get_token_url): # Create a GUID for the jti claim jti_guid = str(uuid.uuid4()) thumbprint = client_registration.cert_thumbprint() # Build the header client_assertion_header = { 'alg': 'RS256', 'x5t': thumbprint, } # Create a UNIX epoch time value for now - 5 minutes # Why -5 minutes? To allow for time skew between the local machine # and the server. now = int(time.time()) - 300 # Create a UNIX epoch time value for now + 10 minutes ten_mins_from_now = now + 900 # Build the payload per # http://www.cloudidentity.com/blog/2015/02/06/ # requesting-an-aad-token-with-a-certificate-without-adal/ client_assertion_payload = { 'sub': client_registration.client_id(), 'iss': client_registration.client_id(), 'jti': jti_guid, 'exp': ten_mins_from_now, 'nbf': now, 'aud': get_token_url, # .replace('/', '\\/'), } string_assertion = json.dumps(client_assertion_payload) logger.debug('Assertion: {0}'.format(string_assertion)) # Generate the stringified header blob assertion_blob = get_assertion_blob(client_assertion_header, client_assertion_payload) # Sign the data signature = get_signature(assertion_blob) # Concatenate the blob with the signature # Final product should look like: # <base64-encoded-header>.<base64-encoded-payload>.<base64-encoded-signature> client_assertion = '{0}.{1}'.format(assertion_blob, signature) logger.debug('CLIENT ASSERTION: {0}'.format(client_assertion)) return client_assertion
def get_access_token(id_token, redirect_uri, resource): # Get the tenant ID from the id token parsed_token = parse_token(id_token) tenantId = parsed_token['tid'] if (tenantId): logger.debug('Tenant ID: {0}'.format(tenantId)) get_token_url = token_url.format(tenantId) logger.debug('Token request url: '.format(get_token_url)) # Build the client assertion assertion = get_client_assertion(get_token_url) # Construct the required post data # See http://www.cloudidentity.com/blog/2015/02/06/ # requesting-an-aad-token-with-a-certificate-without-adal/ post_form = { 'resource': resource, 'client_id': client_registration.client_id(), 'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer', 'client_assertion': assertion, 'grant_type': 'client_credentials', 'redirect_uri': redirect_uri, } r = requests.post(get_token_url, data=post_form, verify=verifySSL) logger.debug('Received response from token end point.') logger.debug(r.json()) return r.json() else: logger.debug('Could not parse token: {0}'.format(id_token)) return ''
def get_client_cred_authorization_url(redirect_uri, resource): logger.debug('Entering get_client_cred_authorization_url.') logger.debug(' redirect_uri: {0}'.format(redirect_uri)) logger.debug(' resource: {0}'.format(resource)) # Create a GUID for the nonce value nonce = str(uuid.uuid4()) params = { 'client_id': client_registration.client_id(), 'redirect_uri': redirect_uri, 'response_type': 'code id_token', 'scope': 'openid', 'nonce': nonce, 'prompt': 'admin_consent', 'response_mode': 'form_post', 'resource': resource, } authorization_url = authorize_url.format(urlencode(params)) logger.debug('Authorization url: {0}'.format(authorization_url)) logger.debug('Leaving get_client_cred_authorization_url.') return authorization_url