Categorygithub.com/scott-the-programmer/go-autorestautorestadal
package
11.9.0+incompatible
Repository: https://github.com/scott-the-programmer/go-autorest.git
Documentation: pkg.go.dev
Overview
Versions
4
Dependencies
23
Dependents
0
Files
1.2k SLOC

# README

Azure Active Directory authentication for Go

This is a standalone package for authenticating with Azure Active Directory from other Go libraries and applications, in particular the Azure SDK for Go.

Note: Despite the package's name it is not related to other "ADAL" libraries maintained in the github.com/AzureAD org. Issues should be opened in this repo's or the SDK's issue trackers.

Install

go get -u github.com/Azure/go-autorest/autorest/adal

Usage

An Active Directory application is required in order to use this library. An application can be registered in the Azure Portal by following these guidelines or using the Azure CLI.

Register an Azure AD Application with secret

  1. Register a new application with a secret credential

    az ad app create \
   --display-name example-app \
   --homepage https://example-app/home \
   --identifier-uris https://example-app/app \
   --password secret

  2. Create a service principal using the Application ID from previous step

    az ad sp create --id "Application ID"
    • Replace Application ID with appId from step 1.

Register an Azure AD Application with certificate

  1. Create a private key

    openssl genrsa -out "example-app.key" 2048

  2. Create the certificate

    openssl req -new -key "example-app.key" -subj "/CN=example-app" -out "example-app.csr"
openssl x509 -req -in "example-app.csr" -signkey "example-app.key" -out "example-app.crt" -days 10000

  3. Create the PKCS12 version of the certificate containing also the private key

    openssl pkcs12 -export -out "example-app.pfx" -inkey "example-app.key" -in "example-app.crt" -passout pass:

  4. Register a new application with the certificate content form example-app.crt

    certificateContents="$(tail -n+2 "example-app.crt" | head -n-1)"

az ad app create \
   --display-name example-app \
   --homepage https://example-app/home \
   --identifier-uris https://example-app/app \
   --key-usage Verify --end-date 2018-01-01 \
   --key-value "${certificateContents}"

  5. Create a service principal using the Application ID from previous step

    az ad sp create --id "APPLICATION_ID"
    • Replace APPLICATION_ID with appId from step 4.

Grant the necessary permissions

Azure relies on a Role-Based Access Control (RBAC) model to manage the access to resources at a fine-grained level. There is a set of pre-defined roles which can be assigned to a service principal of an Azure AD application depending of your needs.

az role assignment create --assigner "SERVICE_PRINCIPAL_ID" --role "ROLE_NAME"
  • Replace the SERVICE_PRINCIPAL_ID with the appId from previous step.
  • Replace the ROLE_NAME with a role name of your choice.

It is also possible to define custom role definitions.

az role definition create --role-definition role-definition.json
  • Check custom roles for more details regarding the content of role-definition.json file.

Acquire Access Token

The common configuration used by all flows:

const activeDirectoryEndpoint = "https://login.microsoftonline.com/"
tenantID := "TENANT_ID"
oauthConfig, err := adal.NewOAuthConfig(activeDirectoryEndpoint, tenantID)

applicationID := "APPLICATION_ID"

callback := func(token adal.Token) error {
    // This is called after the token is acquired
}

// The resource for which the token is acquired
resource := "https://management.core.windows.net/"
  • Replace the TENANT_ID with your tenant ID.
  • Replace the APPLICATION_ID with the value from previous section.

Client Credentials

applicationSecret := "APPLICATION_SECRET"

spt, err := adal.NewServicePrincipalToken(
	oauthConfig,
	appliationID,
	applicationSecret,
	resource,
	callbacks...)
if err != nil {
	return nil, err
}

// Acquire a new access token
err  = spt.Refresh()
if (err == nil) {
    token := spt.Token
}
  • Replace the APPLICATION_SECRET with the password value from previous section.

Client Certificate

certificatePath := "./example-app.pfx"

certData, err := ioutil.ReadFile(certificatePath)
if err != nil {
	return nil, fmt.Errorf("failed to read the certificate file (%s): %v", certificatePath, err)
}

// Get the certificate and private key from pfx file
certificate, rsaPrivateKey, err := decodePkcs12(certData, "")
if err != nil {
	return nil, fmt.Errorf("failed to decode pkcs12 certificate while creating spt: %v", err)
}

spt, err := adal.NewServicePrincipalTokenFromCertificate(
	oauthConfig,
	applicationID,
	certificate,
	rsaPrivateKey,
	resource,
	callbacks...)

// Acquire a new access token
err  = spt.Refresh()
if (err == nil) {
    token := spt.Token
}
  • Update the certificate path to point to the example-app.pfx file which was created in previous section.

Device Code

oauthClient := &http.Client{}

// Acquire the device code
deviceCode, err := adal.InitiateDeviceAuth(
	oauthClient,
	oauthConfig,
	applicationID,
	resource)
if err != nil {
	return nil, fmt.Errorf("Failed to start device auth flow: %s", err)
}

// Display the authentication message
fmt.Println(*deviceCode.Message)

// Wait here until the user is authenticated
token, err := adal.WaitForUserCompletion(oauthClient, deviceCode)
if err != nil {
	return nil, fmt.Errorf("Failed to finish device auth flow: %s", err)
}

spt, err := adal.NewServicePrincipalTokenFromManualToken(
	oauthConfig,
	applicationID,
	resource,
	*token,
	callbacks...)

if (err == nil) {
    token := spt.Token
}

Username password authenticate

spt, err := adal.NewServicePrincipalTokenFromUsernamePassword(
	oauthConfig,
	applicationID,
	username,
	password,
	resource,
	callbacks...)

if (err == nil) {
    token := spt.Token
}

Authorization code authenticate

spt, err := adal.NewServicePrincipalTokenFromAuthorizationCode(
	oauthConfig,
	applicationID,
	clientSecret,
      authorizationCode,
      redirectURI,
	resource,
	callbacks...)

err  = spt.Refresh()
if (err == nil) {
    token := spt.Token
}

Command Line Tool

A command line tool is available in cmd/adal.go that can acquire a token for a given resource. It supports all flows mentioned above.

adal -h

Usage of ./adal:
  -applicationId string
        application id
  -certificatePath string
        path to pk12/PFC application certificate
  -mode string
        authentication mode (device, secret, cert, refresh) (default "device")
  -resource string
        resource for which the token is requested
  -secret string
        application secret
  -tenantId string
        tenant id
  -tokenCachePath string
        location of oath token cache (default "/home/cgc/.adal/accessToken.json")

Example acquire a token for https://management.core.windows.net/ using device code flow:

adal -mode device \
    -applicationId "APPLICATION_ID" \
    -tenantId "TENANT_ID" \
    -resource https://management.core.windows.net/

# Packages

No description provided by the author

# Functions

AddToUserAgent adds an extension to the current user agent.
CheckForUserCompletion takes a DeviceCode and checks with the Azure AD OAuth endpoint to see if the device flow has: been completed, timed out, or otherwise failed.
CreateSender creates, decorates, and returns, as a Sender, the default http.Client.
DecorateSender accepts a Sender and a, possibly empty, set of SendDecorators, which is applies to the Sender.
GetMSIVMEndpoint gets the MSI endpoint on Virtual Machines.
InitiateDeviceAuth initiates a device auth flow.
LoadToken restores a Token object from a file located at 'path'.
NewOAuthConfig returns an OAuthConfig with tenant specific urls.
NewOAuthConfigWithAPIVersion returns an OAuthConfig with tenant specific urls.
NewServicePrincipalToken creates a ServicePrincipalToken from the supplied Service Principal credentials scoped to the named resource.
NewServicePrincipalTokenFromAuthorizationCode creates a ServicePrincipalToken from the.
NewServicePrincipalTokenFromCertificate creates a ServicePrincipalToken from the supplied pkcs12 bytes.
NewServicePrincipalTokenFromManualToken creates a ServicePrincipalToken using the supplied token.
NewServicePrincipalTokenFromManualTokenSecret creates a ServicePrincipalToken using the supplied token and secret.
NewServicePrincipalTokenFromMSI creates a ServicePrincipalToken via the MSI VM Extension.
NewServicePrincipalTokenFromMSIWithUserAssignedID creates a ServicePrincipalToken via the MSI VM Extension.
NewServicePrincipalTokenFromUsernamePassword creates a ServicePrincipalToken from the username and password.
NewServicePrincipalTokenWithSecret create a ServicePrincipalToken using the supplied ServicePrincipalSecret implementation.
SaveToken persists an oauth token at the given location on disk.
UserAgent returns a string containing the Go version, system architecture and OS, and the adal version.
WaitForUserCompletion calls CheckForUserCompletion repeatedly until a token is granted or an error state occurs.

# Constants

OAuthGrantTypeAuthorizationCode is the "grant_type" identifier used in authorization code flows.
OAuthGrantTypeClientCredentials is the "grant_type" identifier used in credential flows.
OAuthGrantTypeDeviceCode is the "grant_type" identifier used in device flow.
OAuthGrantTypeRefreshToken is the "grant_type" identifier used in refresh token flows.
OAuthGrantTypeUserPass is the "grant_type" identifier used in username and password auth flows.

# Variables

ErrDeviceAccessDenied represents an access denied error from the token endpoint when using device flow.
ErrDeviceAuthorizationPending represents the server waiting on the user to complete the device flow.
ErrDeviceCodeEmpty represents an empty device code from the device endpoint while using device flow.
ErrDeviceCodeExpired represents the server timing out and expiring the code during device flow.
ErrDeviceGeneric represents an unknown error from the token endpoint when using device flow.
ErrDeviceSlowDown represents the service telling us we're polling too often during device flow.
ErrOAuthTokenEmpty represents an empty OAuth token from the token endpoint when using device flow.

# Structs

DeviceCode is the object returned by the device auth endpoint It contains information to instruct the user to complete the auth flow.
OAuthConfig represents the endpoints needed in OAuth operations.
ServicePrincipalAuthorizationCodeSecret implements ServicePrincipalSecret for authorization code auth.
ServicePrincipalCertificateSecret implements ServicePrincipalSecret for generic RSA cert auth with signed JWTs.
ServicePrincipalMSISecret implements ServicePrincipalSecret for machines running the MSI Extension.
ServicePrincipalNoSecret represents a secret type that contains no secret meaning it is not valid for fetching a fresh token.
ServicePrincipalToken encapsulates a Token created for a Service Principal.
ServicePrincipalTokenSecret implements ServicePrincipalSecret for client_secret type authorization.
ServicePrincipalUsernamePasswordSecret implements ServicePrincipalSecret for username and password auth.
Token encapsulates the access token used to authorize Azure requests.
TokenError is the object returned by the token exchange endpoint when something is amiss.

# Interfaces

OAuthTokenProvider is an interface which should be implemented by an access token retriever.
Refresher is an interface for token refresh functionality.
RefresherWithContext is an interface for token refresh functionality.
Sender is the interface that wraps the Do method to send HTTP requests.
ServicePrincipalSecret is an interface that allows various secret mechanism to fill the form that is submitted when acquiring an oAuth token.
TokenRefreshError is an interface used by errors returned during token refresh.

# Type aliases

SendDecorator takes and possibly decorates, by wrapping, a Sender.
SenderFunc is a method that implements the Sender interface.
TokenRefreshCallback is the type representing callbacks that will be called after a successful token refresh.