Bootstrap FreeKB - Python (Scripting) - Obtain credentials from login.microsoftonline.com using msal PublicClientApplication
Python (Scripting) - Obtain credentials from login.microsoftonline.com using msal PublicClientApplication
Updated:   |  Python (Scripting) articles

The Python msal (Microsoft Authentication Library) package can be used to submit request to https://login.microsoftonline.com, almost always for the purpose of getting an access token.

pip list can be used to determine if the msal package is installed.

~]$ pip list
Package             Version
------------------- ---------
msal                1.24.1

 

If the msal package is not listed, pip install can be used to install the msal package.

pip install msal

 

And let's say you want to get the access token for your "foo" app that has tenant ID ccccccc-1111-2222-3333-cccccccccccccc and client ID aaaaaaaa-1111-2222-3333-aaaaaaaaaaaaa.

 

Here is an example of how to get credentials from login.microsoftonline.com.

#!/usr/bin/python3
from msal import PublicClientApplication

tenant_id   = "ccccccc-1111-2222-3333-cccccccccccccc"
client_id   = "aaaaaaaa-1111-2222-3333-aaaaaaaaaaaaa"
authority   = f"https://login.microsoftonline.com/{tenant_id}"
application = PublicClientApplication(client_id=client_id, authority=authority)
token       = application.acquire_token_by_username_password(username='john.doe@example.com', password='itsasecret', scopes=[])

print(f"token = {token}")

 

Which should return something like this.

token = {
  'token_type': 'Bearer', 
  'scope': 'profile openid email 00000003-0000-0000-c000-000000000000/User.Read',
  'expires_in': 5056,
  'ext_expires_in': 5056,
  'access_token': 'eyJ0e.....6qZFQ',
  'id_token': 'eyJ0e.....fXWog',
  'client_info': 'eyJ1aW.....UyIn0',
  'id_token_claims': {
    'aud': 'ccccccc-1111-2222-3333-cccccccccccccc',
    'iss': 'https://login.microsoftonline.com/ccccccc-1111-2222-3333-cccccccccccccc/v2.0',
    'iat': 1698342673,
    'nbf': 1698342673,
    'exp': 1698346573,
    'name': 'John Doe',
    'oid': 'zxcasdqwe987-9876-zdvd-1234-abcdefg123',
    'preferred_username': 'John.Doe@Example.com',
    'rh': '0.ASwAu.....csAKI.',
    'sub': 'fS-Do.....gOVo',
    'tid': 'ccccccc-1111-2222-3333-cccccccccccccc',
    'uti': 'hw0CS.....nAA',
    'ver': '2.0'
}

 

If something like 'invalid_client' or "The request body must contain the following parameter: 'client_assertion' or 'client_secret'" is returned, I would first go to Authentication in Microsoft Azure. If Allow public client flow is set to No, this means basic authentication (username/password) are not allowed. One solution here is to toggle this to Yes to allow basic authentication.

 

Or you may need to instead add client_credential to PublicClientApplication

Here is an example of how to get credentials from login.microsoftonline.com.

#!/usr/bin/python3
from msal import PublicClientApplication

tenant_id     = "ccccccc-1111-2222-3333-cccccccccccccc"
client_id     = "aaaaaaaa-1111-2222-3333-aaaaaaaaaaaaa"
client_secret = "itsasecret"
authority     = f"https://login.microsoftonline.com/{tenant_id}"
application   = PublicClientApplication(
                  client_id=client_id,
                  authority=authority,
                  client_credential=client_secret)

scopes        = ["https://graph.microsoft.com/.default"]
token         = app.acquire_token_interactive(scopes=scopes)

print(f"token = {token}")

 

In this scenario, make sure you have created the client secret for the app.

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 2d8bb2 in the box below so that we can be sure you are a human.