1 # Azure Active Directory authentication for Go
3 This is a standalone package for authenticating with Azure Active
4 Directory from other Go libraries and applications, in particular the [Azure SDK
5 for Go](https://github.com/Azure/azure-sdk-for-go).
7 Note: Despite the package's name it is not related to other "ADAL" libraries
8 maintained in the [github.com/AzureAD](https://github.com/AzureAD) org. Issues
9 should be opened in [this repo's](https://github.com/Azure/go-autorest/issues)
10 or [the SDK's](https://github.com/Azure/azure-sdk-for-go/issues) issue
16 go get -u github.com/Azure/go-autorest/autorest/adal
21 An Active Directory application is required in order to use this library. An application can be registered in the [Azure Portal](https://portal.azure.com/) by following these [guidelines](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications) or using the [Azure CLI](https://github.com/Azure/azure-cli).
23 ### Register an Azure AD Application with secret
26 1. Register a new application with a `secret` credential
30 --display-name example-app \
31 --homepage https://example-app/home \
32 --identifier-uris https://example-app/app \
36 2. Create a service principal using the `Application ID` from previous step
39 az ad sp create --id "Application ID"
42 * Replace `Application ID` with `appId` from step 1.
44 ### Register an Azure AD Application with certificate
46 1. Create a private key
49 openssl genrsa -out "example-app.key" 2048
52 2. Create the certificate
55 openssl req -new -key "example-app.key" -subj "/CN=example-app" -out "example-app.csr"
56 openssl x509 -req -in "example-app.csr" -signkey "example-app.key" -out "example-app.crt" -days 10000
59 3. Create the PKCS12 version of the certificate containing also the private key
62 openssl pkcs12 -export -out "example-app.pfx" -inkey "example-app.key" -in "example-app.crt" -passout pass:
66 4. Register a new application with the certificate content form `example-app.crt`
69 certificateContents="$(tail -n+2 "example-app.crt" | head -n-1)"
72 --display-name example-app \
73 --homepage https://example-app/home \
74 --identifier-uris https://example-app/app \
75 --key-usage Verify --end-date 2018-01-01 \
76 --key-value "${certificateContents}"
79 5. Create a service principal using the `Application ID` from previous step
82 az ad sp create --id "APPLICATION_ID"
85 * Replace `APPLICATION_ID` with `appId` from step 4.
88 ### Grant the necessary permissions
90 Azure relies on a Role-Based Access Control (RBAC) model to manage the access to resources at a fine-grained
91 level. There is a set of [pre-defined roles](https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles)
92 which can be assigned to a service principal of an Azure AD application depending of your needs.
95 az role assignment create --assigner "SERVICE_PRINCIPAL_ID" --role "ROLE_NAME"
98 * Replace the `SERVICE_PRINCIPAL_ID` with the `appId` from previous step.
99 * Replace the `ROLE_NAME` with a role name of your choice.
101 It is also possible to define custom role definitions.
104 az role definition create --role-definition role-definition.json
107 * Check [custom roles](https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles) for more details regarding the content of `role-definition.json` file.
110 ### Acquire Access Token
112 The common configuration used by all flows:
115 const activeDirectoryEndpoint = "https://login.microsoftonline.com/"
116 tenantID := "TENANT_ID"
117 oauthConfig, err := adal.NewOAuthConfig(activeDirectoryEndpoint, tenantID)
119 applicationID := "APPLICATION_ID"
121 callback := func(token adal.Token) error {
122 // This is called after the token is acquired
125 // The resource for which the token is acquired
126 resource := "https://management.core.windows.net/"
129 * Replace the `TENANT_ID` with your tenant ID.
130 * Replace the `APPLICATION_ID` with the value from previous section.
132 #### Client Credentials
135 applicationSecret := "APPLICATION_SECRET"
137 spt, err := adal.NewServicePrincipalToken(
147 // Acquire a new access token
154 * Replace the `APPLICATION_SECRET` with the `password` value from previous section.
156 #### Client Certificate
159 certificatePath := "./example-app.pfx"
161 certData, err := ioutil.ReadFile(certificatePath)
163 return nil, fmt.Errorf("failed to read the certificate file (%s): %v", certificatePath, err)
166 // Get the certificate and private key from pfx file
167 certificate, rsaPrivateKey, err := decodePkcs12(certData, "")
169 return nil, fmt.Errorf("failed to decode pkcs12 certificate while creating spt: %v", err)
172 spt, err := adal.NewServicePrincipalTokenFromCertificate(
180 // Acquire a new access token
187 * Update the certificate path to point to the example-app.pfx file which was created in previous section.
193 oauthClient := &http.Client{}
195 // Acquire the device code
196 deviceCode, err := adal.InitiateDeviceAuth(
202 return nil, fmt.Errorf("Failed to start device auth flow: %s", err)
205 // Display the authentication message
206 fmt.Println(*deviceCode.Message)
208 // Wait here until the user is authenticated
209 token, err := adal.WaitForUserCompletion(oauthClient, deviceCode)
211 return nil, fmt.Errorf("Failed to finish device auth flow: %s", err)
214 spt, err := adal.NewServicePrincipalTokenFromManualToken(
226 #### Username password authenticate
229 spt, err := adal.NewServicePrincipalTokenFromUsernamePassword(
242 #### Authorization code authenticate
245 spt, err := adal.NewServicePrincipalTokenFromAuthorizationCode(
260 ### Command Line Tool
262 A command line tool is available in `cmd/adal.go` that can acquire a token for a given resource. It supports all flows mentioned above.
268 -applicationId string
270 -certificatePath string
271 path to pk12/PFC application certificate
273 authentication mode (device, secret, cert, refresh) (default "device")
275 resource for which the token is requested
280 -tokenCachePath string
281 location of oath token cache (default "/home/cgc/.adal/accessToken.json")
284 Example acquire a token for `https://management.core.windows.net/` using device code flow:
288 -applicationId "APPLICATION_ID" \
289 -tenantId "TENANT_ID" \
290 -resource https://management.core.windows.net/