def get_client_assertion(get_token_url):
# Create a GUID for the jti claim
jti_guid = str(uuid.uuid4())
thumbprint = client_registration.cert_thumbprint()
# Build the header
client_assertion_header = {
'alg': 'RS256',
'x5t': thumbprint,
}
# Create a UNIX epoch time value for now - 5 minutes
# Why -5 minutes? To allow for time skew between the local machine
# and the server.
now = int(time.time()) - 300
# Create a UNIX epoch time value for now + 10 minutes
ten_mins_from_now = now + 900
# Build the payload per
# http://www.cloudidentity.com/blog/2015/02/06/
# requesting-an-aad-token-with-a-certificate-without-adal/
client_assertion_payload = {
'sub': client_registration.client_id(),
'iss': client_registration.client_id(),
'jti': jti_guid,
'exp': ten_mins_from_now,
'nbf': now,
'aud': get_token_url, # .replace('/', '\\/'),
}
string_assertion = json.dumps(client_assertion_payload)
logger.debug('Assertion: {0}'.format(string_assertion))
# Generate the stringified header blob
assertion_blob = get_assertion_blob(client_assertion_header,
client_assertion_payload)
# Sign the data
signature = get_signature(assertion_blob)
# Concatenate the blob with the signature
# Final product should look like:
# <base64-encoded-header>.<base64-encoded-payload>.<base64-encoded-signature>
client_assertion = '{0}.{1}'.format(assertion_blob, signature)
logger.debug('CLIENT ASSERTION: {0}'.format(client_assertion))
return client_assertion
def get_client_assertion(get_token_url):
# Create a GUID for the jti claim
jti_guid = str(uuid.uuid4())
thumbprint = client_registration.cert_thumbprint()
# Build the header
client_assertion_header = {
'alg': 'RS256',
'x5t': thumbprint,
}
# Create a UNIX epoch time value for now - 5 minutes
# Why -5 minutes? To allow for time skew between the local machine
# and the server.
now = int(time.time()) - 300
# Create a UNIX epoch time value for now + 10 minutes
ten_mins_from_now = now + 900
# Build the payload per
# http://www.cloudidentity.com/blog/2015/02/06/
# requesting-an-aad-token-with-a-certificate-without-adal/
client_assertion_payload = {
'sub': client_registration.client_id(),
'iss': client_registration.client_id(),
'jti': jti_guid,
'exp': ten_mins_from_now,
'nbf': now,
'aud': get_token_url, # .replace('/', '\\/'),
}
string_assertion = json.dumps(client_assertion_payload)
logger.debug('Assertion: {0}'.format(string_assertion))
# Generate the stringified header blob
assertion_blob = get_assertion_blob(client_assertion_header,
client_assertion_payload)
# Sign the data
signature = get_signature(assertion_blob)
# Concatenate the blob with the signature
# Final product should look like:
# <base64-encoded-header>.<base64-encoded-payload>.<base64-encoded-signature>
client_assertion = '{0}.{1}'.format(assertion_blob, signature)
logger.debug('CLIENT ASSERTION: {0}'.format(client_assertion))
return client_assertion
def get_access_token(id_token, redirect_uri, resource):
# Get the tenant ID from the id token
parsed_token = parse_token(id_token)
tenantId = parsed_token['tid']
if (tenantId):
logger.debug('Tenant ID: {0}'.format(tenantId))
get_token_url = token_url.format(tenantId)
logger.debug('Token request url: '.format(get_token_url))
# Build the client assertion
assertion = get_client_assertion(get_token_url)
# Construct the required post data
# See http://www.cloudidentity.com/blog/2015/02/06/
# requesting-an-aad-token-with-a-certificate-without-adal/
post_form = {
'resource': resource,
'client_id': client_registration.client_id(),
'client_assertion_type':
'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
'client_assertion': assertion,
'grant_type': 'client_credentials',
'redirect_uri': redirect_uri,
}
r = requests.post(get_token_url, data=post_form, verify=verifySSL)
logger.debug('Received response from token end point.')
logger.debug(r.json())
return r.json()
else:
logger.debug('Could not parse token: {0}'.format(id_token))
return ''
def get_access_token(id_token, redirect_uri, resource):
# Get the tenant ID from the id token
parsed_token = parse_token(id_token)
tenantId = parsed_token['tid']
if (tenantId):
logger.debug('Tenant ID: {0}'.format(tenantId))
get_token_url = token_url.format(tenantId)
logger.debug('Token request url: '.format(get_token_url))
# Build the client assertion
assertion = get_client_assertion(get_token_url)
# Construct the required post data
# See http://www.cloudidentity.com/blog/2015/02/06/
# requesting-an-aad-token-with-a-certificate-without-adal/
post_form = {
'resource': resource,
'client_id': client_registration.client_id(),
'client_assertion_type':
'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
'client_assertion': assertion,
'grant_type': 'client_credentials',
'redirect_uri': redirect_uri,
}
r = requests.post(get_token_url, data=post_form, verify=verifySSL)
logger.debug('Received response from token end point.')
logger.debug(r.json())
return r.json()
else:
logger.debug('Could not parse token: {0}'.format(id_token))
return ''
def get_client_cred_authorization_url(redirect_uri, resource):
logger.debug('Entering get_client_cred_authorization_url.')
logger.debug(' redirect_uri: {0}'.format(redirect_uri))
logger.debug(' resource: {0}'.format(resource))
# Create a GUID for the nonce value
nonce = str(uuid.uuid4())
params = { 'client_id': client_registration.client_id(),
'redirect_uri': redirect_uri,
'response_type': 'code id_token',
'scope': 'openid',
'nonce': nonce,
'prompt': 'admin_consent',
'response_mode': 'form_post',
'resource': resource,
}
authorization_url = authorize_url.format(urlencode(params))
logger.debug('Authorization url: {0}'.format(authorization_url))
logger.debug('Leaving get_client_cred_authorization_url.')
return authorization_url
def get_client_cred_authorization_url(redirect_uri, resource):
logger.debug('Entering get_client_cred_authorization_url.')
logger.debug(' redirect_uri: {0}'.format(redirect_uri))
logger.debug(' resource: {0}'.format(resource))
# Create a GUID for the nonce value
nonce = str(uuid.uuid4())
params = {
'client_id': client_registration.client_id(),
'redirect_uri': redirect_uri,
'response_type': 'code id_token',
'scope': 'openid',
'nonce': nonce,
'prompt': 'admin_consent',
'response_mode': 'form_post',
'resource': resource,
}
authorization_url = authorize_url.format(urlencode(params))
logger.debug('Authorization url: {0}'.format(authorization_url))
logger.debug('Leaving get_client_cred_authorization_url.')
return authorization_url
