[azure developer] uses postman to obtain the authorization token of the application registered in azure AD and set authorization for azure rest API

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in Azure.

Problem description

When we use REST API call Azure On any resource , Need to be in Request Header Provided in the Authorization Value .

  How to get Authorizatoin The value of ？

• A quick way Is access Azure Gateway , adopt F12( Developer tools ) View in Network Requested in Header Medium Authorization value . The operation steps are shown in Appendix I
• A formal way It's using AAD API obtain Token.

The following content mainly introduces how to pass AAD API obtain Token（ Conventional operation mode ）.

 

Operation steps

One ： precondition

• stay Azure Active Directory Already in the register Application
• already installed Postman

Two ： Prepare parameters

1, obtain OAuth 2.0 Token endpoint (v2) [https://login.chinacloudapi.cn/{tenant}/oauth2/v2.0/token]

• visit AAD Application registration link ：https://portal.azure.cn/?l=zh-hans.zh-cn#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
• Choose Application, After the page is loaded , choice “ endpoints ” Button .

 

 

2, Get directory ( Tenant ) ID [tenant]

3, obtain Applications ( client ) ID[client_id]

An overview of the application (Overview) Copy the tenant in the page (tenant), client (client id). See the three groups in the picture above GUID Numbers .

4, Get the client password [client_secret]

• stay AAD Application page , Get into “ Certificates and passwords ” page , Click on “ New client password ” Button , Add new Secret（ Because the password value can only be seen at the beginning of creation , So you have to copy it before you leave the page ）

 

 

notes ： Calling OAuth 2.0 obtain token When , You also need to set scope and grant_type, In the current example , Separate use https://microsoftgraph.chinacloudapi.cn/.default and client_credentials Value

scope:	https://microsoftgraph.chinacloudapi.cn/.default
grant_type:	client_credentials

3、 ... and ： call Token endpoints

Use Postman call Token endpoints , All the parameters are ：

Request mode	POST
request URL	https://login.chinacloudapi.cn/{TENANT}/oauth2/v2.0/token
request Body
tenant:{TENANT} client_id:{CLIENT ID} scope:https://microsoftgraph.chinacloudapi.cn/.default grant_type:client_credentials client_secret:{SECRET VALUE}
Response after successful request Body
{     "token_type": "Bearer",     "expires_in": 3599,     "ext_expires_in": 3599,     "access_token": "eyJ0eXAiOiJKV1QiLCJub25jZSI6IjFJRk1tbFNMcnV1 ... ... ... ...  W0Da3_LzLhdNA" }

Postman Screenshot description ：

 

Get access_token After the value of , Can be used as Auzre REST API Interface Authroization Value .

Four ： analysis Token

visit https://jwt.io/, Can decode Token Content , View the current Token The permissions carried in (Role). Demonstration operation ：

 

Reference material

What is? Azure Active Directory？https://docs.azure.cn/zh-cn/active-directory/fundamentals/active-directory-whatis
Microsoft Graph REST API v1.0 reference: https://docs.microsoft.com/en-us/graph/api/overview?view=graph-rest-1.0

 

Appendix a ： adopt F12( Developer tools ) View in Network in Request Of Header Medium Authorization value