Detailed example of how php obtains Azure Active Directory token

When calling the Azure Rest API, if it is an API belonging to Azure Resource Manager, you need to use Azure Active Directory (Azure AD) authentication to obtain a token (Token) before you can access it.

The following are the steps to create an Azure AD application and authorize it to access resources that manage Azure:

For a better reading experience, you can also click here.

Note

The following authentication methods are only applicable to Azure Resource Manager API. That is, the API with the endpoint management.chinacloudapi.cn is not applicable to the API of Azure Service Manager (the API with the endpoint management.core.chinacloudapi.cn).

Log in to your Azure account (PowerShell)

##Record the obtained TenantID for subsequent use.

Select the current subscription ID

Set the current subscription. This step needs to be performed in a multi-subscription environment:

Set-AzureRmContext -SubscriptionId <subscription ID>

Create AD application

View the newly created application object and the attribute ApplicationId, which will be used to create service credentials, role settings and Access Token later.

$azureAdApplication = New-AzureRmADApplication -DisplayName "exampleapp" -HomePage "https://www.contoso.org" -IdentifierUris "https://www.contoso.org/example" -Password "<Your_Password>"

Create Service Credentials

Azure AD Application Create Service Credentials:

New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId

After the service credential is created, it does not have any permissions initially. We need to set the permission scope for it.

Authorization

Add role settings for your service credentials. In this example, set read permissions for your service credentials to access all resources under your subscription. If you want to learn more, please refer to: Azure Role-based Access Control.

New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $azureAdApplication.ApplicationId

There are three permission settings for

RoleDefinitionName:

1. Reader has read permissions for Azure resources.

2. Contributor has administrative rights to Azure resources, but cannot authorize others.

3. Owner has management rights to Azure resources and can also authorize others to manage them.

　

Call Oauth2 API to obtain Token

In this way, the Azure AD Application is created and we can use it The following three pieces of information are used to obtain the authentication Token.

1. telent-id corresponds to the telentID used in subscription information.

2. application-id ApplicationID returned by creating the application.

3. app password The password filled in when creating the application.

To obtain the Token, use the authentication interface of Azure login oauth2. If you want to know more, please refer to this document: Using the Azure Resource Manager REST API.

Please refer to the following code:

$tenlent_id = 'Your Sub Tenlent ID';
$client_id = 'Application ID';
$client_secret = 'Application Password';

$auth_url = 'https://login.chinacloudapi.cn/'.$tenlent_id.'/oauth2/token?api-version=1.0';
$auth = curl_init($auth_url);
$post_data= 'grant_type=client_credentials&resource=https://management.chinacloudapi.cn/&client_id='.$client_id.'&client_secret='.urlencode($client_secret);

curl_setopt_array($auth, array(
CURLOPT_VERBOSE => 1,
CURLOPT_POST => 1,
CURLOPT_POSTFIELDS => $post_data,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_HTTPHEADER => array(
'Content-Type: application/x-www-form-urlencoded'
)
));
curl_exec($atuh);
echo "\n";

After executing the query, you will get the Token data, and access_token is the access Token.

{
"token_type": "Bearer",
"expires_in": "3600",
"expires_on": "1455680701",
"not_before": "1455676801",
"resource": "https://management.azure.com/",
"access_token": "eyJ0eXAiOi…"
}

Then add the Authorization Header setting to the API request you want to access, and set its value to:

Bearer must be added before Token.

Call example:

$token = 'eyJ0eXA…';
$host = 'management.chinacloudapi.cn';
$version = '2015-09-01';
$url = 'https://'.$host.'/subscriptions/5bbf0cbb-647d-4bd8-b4e6-26629f109bd7/resourceGroups/Default-MySql-ChinaNorth/providers/Microsoft.MySql/servers/poddbtest/databases/kevintest?api-version='.$version;
$ch = curl_init($url);
$data = array(
'properties' => array(
'charset' => 'utf8',
'collation' => 'utf8_general_ci'
),
);
$json = json_encode($data);

curl_setopt_array($ch, array(
CURLOPT_VERBOSE => 1,
CURLOPT_CUSTOMREQUEST => 'PUT',
CURLOPT_POSTFIELDS => $json,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_HTTPHEADER => array(
'Content-type:application/json',
'Authorization:Bearer '.$token
)
));

$ret =curl_exec($ch);
if (empty($ret)) {
    // some kind of an error happened
    echo 'Curl error: ' . curl_error($ch);
} else {
    $info = curl_getinfo($ch);
}
echo "\n";

The above is the detailed content of Detailed example of how php obtains Azure Active Directory token. For more information, please follow other related articles on the PHP Chinese website!