def get_client_assertion(get_token_url):
    # Create a GUID for the jti claim
    jti_guid = str(uuid.uuid4())

    thumbprint = client_registration.cert_thumbprint()

    # Build the header
    client_assertion_header = {
        'alg': 'RS256',
        'x5t': thumbprint,
    }

    # Create a UNIX epoch time value for now - 5 minutes
    # Why -5 minutes? To allow for time skew between the local machine
    # and the server.
    now = int(time.time()) - 300
    # Create a UNIX epoch time value for now + 10 minutes
    ten_mins_from_now = now + 900

    # Build the payload per
    # http://www.cloudidentity.com/blog/2015/02/06/
    #   requesting-an-aad-token-with-a-certificate-without-adal/
    client_assertion_payload = {
        'sub': client_registration.client_id(),
        'iss': client_registration.client_id(),
        'jti': jti_guid,
        'exp': ten_mins_from_now,
        'nbf': now,
        'aud': get_token_url,  # .replace('/', '\\/'),
    }

    string_assertion = json.dumps(client_assertion_payload)
    logger.debug('Assertion: {0}'.format(string_assertion))

    # Generate the stringified header blob
    assertion_blob = get_assertion_blob(client_assertion_header,
                                        client_assertion_payload)

    # Sign the data
    signature = get_signature(assertion_blob)

    # Concatenate the blob with the signature
    # Final product should look like:
    # <base64-encoded-header>.<base64-encoded-payload>.<base64-encoded-signature>
    client_assertion = '{0}.{1}'.format(assertion_blob, signature)
    logger.debug('CLIENT ASSERTION: {0}'.format(client_assertion))

    return client_assertion
def get_client_assertion(get_token_url):
    # Create a GUID for the jti claim
    jti_guid = str(uuid.uuid4())

    thumbprint = client_registration.cert_thumbprint()

    # Build the header
    client_assertion_header = {
        'alg': 'RS256',
        'x5t': thumbprint,
    }

    # Create a UNIX epoch time value for now - 5 minutes
    # Why -5 minutes? To allow for time skew between the local machine
    # and the server.
    now = int(time.time()) - 300
    # Create a UNIX epoch time value for now + 10 minutes
    ten_mins_from_now = now + 900

    # Build the payload per
    # http://www.cloudidentity.com/blog/2015/02/06/
    #   requesting-an-aad-token-with-a-certificate-without-adal/
    client_assertion_payload = {
        'sub': client_registration.client_id(),
        'iss': client_registration.client_id(),
        'jti': jti_guid,
        'exp': ten_mins_from_now,
        'nbf': now,
        'aud': get_token_url,  # .replace('/', '\\/'),
    }

    string_assertion = json.dumps(client_assertion_payload)
    logger.debug('Assertion: {0}'.format(string_assertion))

    # Generate the stringified header blob
    assertion_blob = get_assertion_blob(client_assertion_header,
                                        client_assertion_payload)

    # Sign the data
    signature = get_signature(assertion_blob)

    # Concatenate the blob with the signature
    # Final product should look like:
    # <base64-encoded-header>.<base64-encoded-payload>.<base64-encoded-signature>
    client_assertion = '{0}.{1}'.format(assertion_blob, signature)
    logger.debug('CLIENT ASSERTION: {0}'.format(client_assertion))

    return client_assertion
def get_access_token(id_token, redirect_uri, resource):
    # Get the tenant ID from the id token
    parsed_token = parse_token(id_token)
    tenantId = parsed_token['tid']
    if (tenantId):
        logger.debug('Tenant ID: {0}'.format(tenantId))
        get_token_url = token_url.format(tenantId)
        logger.debug('Token request url: '.format(get_token_url))

        # Build the client assertion
        assertion = get_client_assertion(get_token_url)

        # Construct the required post data
        # See http://www.cloudidentity.com/blog/2015/02/06/
        #    requesting-an-aad-token-with-a-certificate-without-adal/
        post_form = {
            'resource': resource,
            'client_id': client_registration.client_id(),
            'client_assertion_type':
                'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
            'client_assertion': assertion,
            'grant_type': 'client_credentials',
            'redirect_uri': redirect_uri,
        }

        r = requests.post(get_token_url, data=post_form, verify=verifySSL)
        logger.debug('Received response from token end point.')
        logger.debug(r.json())
        return r.json()
    else:
        logger.debug('Could not parse token: {0}'.format(id_token))
        return ''
def get_access_token(id_token, redirect_uri, resource):
    # Get the tenant ID from the id token
    parsed_token = parse_token(id_token)
    tenantId = parsed_token['tid']
    if (tenantId):
        logger.debug('Tenant ID: {0}'.format(tenantId))
        get_token_url = token_url.format(tenantId)
        logger.debug('Token request url: '.format(get_token_url))

        # Build the client assertion
        assertion = get_client_assertion(get_token_url)

        # Construct the required post data
        # See http://www.cloudidentity.com/blog/2015/02/06/
        #    requesting-an-aad-token-with-a-certificate-without-adal/
        post_form = {
            'resource': resource,
            'client_id': client_registration.client_id(),
            'client_assertion_type':
            'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
            'client_assertion': assertion,
            'grant_type': 'client_credentials',
            'redirect_uri': redirect_uri,
        }

        r = requests.post(get_token_url, data=post_form, verify=verifySSL)
        logger.debug('Received response from token end point.')
        logger.debug(r.json())
        return r.json()
    else:
        logger.debug('Could not parse token: {0}'.format(id_token))
        return ''
예제 #5
0
def get_client_cred_authorization_url(redirect_uri, resource):
  logger.debug('Entering get_client_cred_authorization_url.')
  logger.debug('  redirect_uri: {0}'.format(redirect_uri))
  logger.debug('  resource: {0}'.format(resource))
  
  # Create a GUID for the nonce value
  nonce = str(uuid.uuid4())
  
  params = { 'client_id': client_registration.client_id(),
             'redirect_uri': redirect_uri,
             'response_type': 'code id_token',
             'scope': 'openid',
             'nonce': nonce,
             'prompt': 'admin_consent',
             'response_mode': 'form_post',
             'resource': resource,
           }
  
  authorization_url = authorize_url.format(urlencode(params))
  
  logger.debug('Authorization url: {0}'.format(authorization_url))
  logger.debug('Leaving get_client_cred_authorization_url.')
  return authorization_url
def get_client_cred_authorization_url(redirect_uri, resource):
    logger.debug('Entering get_client_cred_authorization_url.')
    logger.debug('  redirect_uri: {0}'.format(redirect_uri))
    logger.debug('  resource: {0}'.format(resource))

    # Create a GUID for the nonce value
    nonce = str(uuid.uuid4())

    params = {
        'client_id': client_registration.client_id(),
        'redirect_uri': redirect_uri,
        'response_type': 'code id_token',
        'scope': 'openid',
        'nonce': nonce,
        'prompt': 'admin_consent',
        'response_mode': 'form_post',
        'resource': resource,
    }

    authorization_url = authorize_url.format(urlencode(params))

    logger.debug('Authorization url: {0}'.format(authorization_url))
    logger.debug('Leaving get_client_cred_authorization_url.')
    return authorization_url