|
|
(JavaScript) Azure Key Vault Get OAuth2 Access Token using Client Credentials
Demonstrates how to get an OAuth2 access token using client credentials for an Azure Key Vault resource.
var success = false;
// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.
// ---
// See RBAC Permissions Required for Azure Key Vault API Using OAuth2 Client Credentials Flow
// ---
// You can use OAuth2 client credentials with an Azure App (service principal) that has
// the required Role-Based Access Control (RBAC) permissions.
// In this case, it would be service principal with RBAC permissions to administer and manage
// the key vault.
// You can create the Azure App (also known as the Service Principal)
// in the Azure CLI (command line interface) as follows:
// ----------------------------------------------------------------------
// az ad sp create-for-rbac --name http://example.com --role Contributor
// ----------------------------------------------------------------------
// The argument to --name must be a valid URI that is a verified domain of your
// organization or its subdomain.
// The output of the above "az ad sp create-for-rbac ..." command is JSON such as this:
// {
// "appId": "25ac6e3a-9ac7-42b9-b13e-18644c1de959",
// "displayName": "azure-cli-2023-10-14-22-38-15",
// "name": "http://example.com",
// "password": "f1f2f3f0-52dc-4236-8295-c8a1d6aa393c",
// "tenant": "4d8dfd66-68d1-13b0-af5c-b31b4b3d53d"
// }
// Save the values in the above JSON. You'll need it below..
// You'll also want to add the role of "Key Vault Administrator" to the Service Principal
// for the particular key vault.
// ----------------------------------------------------------------------
// az role assignment create --assignee <Application-ID> --role "Key Vault Administrator"
// --scope /subscriptions/<Subscription-ID>/resourceGroups/<Resource-Group-Name>/providers/Microsoft.KeyVault/vaults/<KeyVault-Name>
// ----------------------------------------------------------------------
var http = new CkHttp();
var req = new CkHttpRequest();
// Add query params to the request.
req.AddParam("grant_type","client_credentials");
// Use the service principal's appId
req.AddParam("client_id","25ac6e3a-9ac7-42b9-b13e-18644c1de959");
// Use the service principal's password.
req.AddParam("client_secret","f1f2f3f0-52dc-4236-8295-c8a1d6aa393c");
// Note: The resource must match the API for which you're using the access token..
req.AddParam("resource","https://vault.azure.net");
http.SetUrlVar("tenant","4d8dfd66-68d1-13b0-af5c-b31b4b3d53d");
req.HttpVerb = "POST";
req.ContentType = "application/x-www-form-urlencoded";
var resp = new CkHttpResponse();
success = http.HttpReq("https://login.microsoftonline.com/{$tenant}/oauth2/token",req,resp);
if (success == false) {
console.log(http.LastErrorText);
return;
}
var strRespBody = resp.BodyStr;
var respStatusCode = resp.StatusCode;
if (respStatusCode >= 400) {
console.log("Response Status Code = " + respStatusCode);
console.log("Response Body:");
console.log(strRespBody);
return;
}
var jsonResp = new CkJsonObject();
jsonResp.Load(strRespBody);
jsonResp.EmitCompact = false;
console.log(jsonResp.Emit());
// The result is an access token such as the following:
// {
// "token_type": "Bearer",
// "expires_in": "3600",
// "ext_expires_in": "3600",
// "expires_on": "1557864616",
// "not_before": "1557860716",
// "resource": "https://vault.azure.net",
// "access_token": "eyJ0eXAiOiJKV1QiL ... 20UFDDOHEyUg"
// }
// If you wish, you can save the token to a file.
// The access token is generally valid for 1 hour.
// After 1 hour, you would need to get a new access token in the same way.
jsonResp.WriteFile("qa_data/tokens/azureKeyVaultToken.json");
|
