Skip to content

Commit

Permalink
Azure tweak, cred and cert auth flows use Resource Manager resource f…
Browse files Browse the repository at this point in the history
…or token request.
  • Loading branch information
rmbolger committed Aug 27, 2024
1 parent 8255674 commit 411eaf0
Showing 1 changed file with 4 additions and 8 deletions.
12 changes: 4 additions & 8 deletions Posh-ACME/Plugins/Azure.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -373,20 +373,16 @@ function ConvertFrom-AccessToken {
# decode the claims
$claims = $payload | ConvertFrom-Base64Url | ConvertFrom-Json -EA Stop

# make sure the audience claim is correct
if (-not $claims.aud -or $claims.aud -ne "$($script:AZEnvironment.ResourceManagerUrl)/") {
Write-Debug "`$claims.aud = $($claims.aud)"
throw "The provided access token has missing or incorrect audience claim. Expected: $($script:AZEnvironment.ResourceManagerUrl)/"
}

# make sure the token hasn't expired
$expires = [DateTimeOffset]::FromUnixTimeSeconds($claims.exp)
Write-Debug "Found exp '$($claims.exp)' in decoded access token"
if ((Get-DateTimeOffsetNow) -gt $expires) {
throw "The provided access token expired since $($expires.ToString('u'))"
}

# return an object that contains the 'expires_on' property along with the token
# which is what we care about from the other normal logon methods
Write-Debug "Found tid '$($claims.tid)' in decoded access token"
return [pscustomobject]@{
expires_on = $claims.exp
access_token = $AZAccessToken
Expand Down Expand Up @@ -539,7 +535,7 @@ function Connect-AZTenant {
Write-Verbose "Authenticating with password based credential"
$clientId = [uri]::EscapeDataString($AZAppUsername)
$clientSecret = [uri]::EscapeDataString($AZAppPasswordInsecure)
$resource = [uri]::EscapeDataString("$($script:AZEnvironment.ManagementUrl)/")
$resource = [uri]::EscapeDataString("$($script:AZEnvironment.ResourceManagerUrl)/")
$authBody = "grant_type=client_credentials&client_id=$clientId&client_secret=$clientSecret&resource=$resource"
try {
$tokResponse = Invoke-RestMethod "$($script:AZEnvironment.ActiveDirectoryUrl)/$($AZTenantId)/oauth2/token" `
Expand Down Expand Up @@ -625,7 +621,7 @@ function Connect-AZTenant {
Write-Verbose "Authenticating with certificate based credential"
$clientId = [uri]::EscapeDataString($AZAppUsername)
$assertType = [uri]::EscapeDataString('urn:ietf:params:oauth:client-assertion-type:jwt-bearer')
$resource = [uri]::EscapeDataString("$($script:AZEnvironment.ManagementUrl)/")
$resource = [uri]::EscapeDataString("$($script:AZEnvironment.ResourceManagerUrl)/")

# build the JWT
$jwtHead = @{
Expand Down

0 comments on commit 411eaf0

Please sign in to comment.