1

I'm trying to get an access token by authenticating my app with AAD via a certificate. The certificate is installed on my local machine (windows 10). This authentication is needed to access an external API.

I'm following the steps posted on Azure Docs

Sample code:

def authenticate_client_cert():
    """
    Authenticate using service principal w/ cert.
    """
    authority_host_uri = 'https://login.microsoftonline.com'
    tenant = '<TENANT>'
    authority_uri = authority_host_uri + '/' + tenant
    resource_uri = 'https://management.core.windows.net/'
    client_id = '<CLIENT_ID>'
    client_cert = '<CLIENT_CERT>' ### MISSING THIS
    client_cert_thumbprint = '<CLIENT_CERT_THUMBPRINT>'

    context = adal.AuthenticationContext(authority_uri, api_version=None)

    mgmt_token = context.acquire_token_with_client_certificate(resource_uri, client_id, client_cert, client_cert_thumbprint)
    credentials = AADTokenCredentials(mgmt_token, client_id)

    return credentials

I have '<CLIENT_ID>', '<TENANT>' and '<CLIENT_CERT_THUMBPRINT>' but I'm missing '<CLIENT_CERT>'

From my understanding, '<CLIENT_CERT>' is the private key but I cannot export the private key because it's not allowed.

So I'm not sure how I can get authenticated from AAD with this certificate.

Improve this question

1 Answer 1

Reset to default
2

If you cannot get the private key, you won't use this cert to get authenticated with AAD. But You can upload a new cert by yourself and use it.

The <client_cert> should be the Name of the key file which you generated.

Here is a documentation about Client credentials with certificate in ADAL for python:

Steps to generate certificate and private key to be used when implementing the client credential flow are as follows:

Generate a key:

openssl genrsa -out server.pem 2048

Create a certificate request:

openssl req -new -key server.pem -out server.csr

Generate a certificate:

openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crt

You will have to upload this certificate (server.crt) on Azure Portal in your application settings. Once you save this certificate, the portal will give you the thumbprint of this certificate which is needed in the acquire token call. The key will be the server.pem key you generated in the first step.

Now you can create the credential for the client credential flow using certificate in ADAL Python as follows:

client_credentials = {
    "client_id": <your app id>,
    "thumbprint": <thumbprint of cert file>,
    "certificate": <key file name> 
 }

For example:

 {
   "resource": "your_resource",
   "tenant" : "test.onmicrosoft.com",
   "authorityHostUrl" : "https://login.microsoftonline.com",
   "clientId" : "d6835713-b745-48d1-bb62-7a8248477d35",
   "thumbprint" : 'C15DEA8656ADDF67BE8031D85EBDDC5AD6C436E1',
   "certificate" : 'server.pem'
 }

Hope this helps!

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I think I wasn't clear in my question. The certificate is needed to access an external API (I don't own it). Therefore I cannot create my own certificate to get authenticated. In C#, there's a way to point to a certificate that's installed on your computer but I can't seem to find a library in python that would allow me to that.
Hi @Rana . Unfortunately, AFAIK, if you cannot export private key neither use a new certificate, I think there is no other workaround to resolve this.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.