Skip to content

Client Credentials

Jump to bottom
Ray Luo edited this page Apr 15, 2019 · 2 revisions

There are two types of client credentials in MSAL Python:

  • Application Secrets
  • Certificates

Client Credentials with application secret

During the registration of a confidential client application with Azure AD, a client secret is generated (a kind of application password).

Registering client secrets using the application registration portal

The management of client credentials happens in the certificates & secrets page for an application:

image

  • the application secret (also named client secret) is generated by Azure AD during the registration of the confidential client application when you select New client secret. At that point, you must copy the secret string in the clipboard for use in your app, before selecting Save. This string won't be presented to you again in the future.

Using client secrets

In MSAL Python client credentials are similar to what they are in ADAL Python, except that the client credentials are passed as a parameter at the application construction. In this case client secret is passed as an parameter. Then, once the confidential client application is constructed, acquire_token_for_client is called with scope as parameter.

Client Credentials with certificate

When the application is registered with Azure AD, it uploads the public key of a certificate. At application construction, thumbprint and private_key_file is passed as the client credential. When it wants to acquire a token, the client application will need to call the acquire_token_for_client method by passing the scope as parameter.

Steps to generate certificate and private key to be used when implementing the client credential flow are as follows:

  1. Generate a key:

    openssl genrsa -out server.pem 2048

  2. Create a certificate request:

    openssl req -new -key server.pem -out server.csr

  3. Generate a certificate:

    openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crt

  4. You will have to upload this certificate (server.crt) on Azure Portal in your application settings. Once you save this certificate, the portal will give you the thumbprint of this certificate which is needed in the acquire token call. The key will be the server.pem key you generated in the first step.

  5. Now you can create the credential for the client credential flow using certificate in MSAL Python as follows:

client_credential = {
    "thumbprint": <thumbprint of cert file>,
    "private_key": <private key from the private_key_file>
 }

Getting started with MSAL Python

News

Relevant Resources

Clone this wiki locally