# Test Azure Function - GetSPToken Endpoint

This notebook tests the local Azure Function running at `http://localhost:7071/api/GetSPToken`.

**Prerequisites:**
- Function host must be running: `func start`
- Azure CLI must be logged in: `az login`
- Valid Azure AD token will be automatically retrieved

In [43]:
import requests
import json
import subprocess
from datetime import datetime

print("✓ Libraries imported successfully")

✓ Libraries imported successfully


In [34]:
# Configuration
BASE_URL = "http://localhost:7071/api"
FUNCTION_ENDPOINT = f"{BASE_URL}/GetSPToken"
TARGET_SCOPE = "https://management.azure.com/.default"

print(f"Function Endpoint: {FUNCTION_ENDPOINT}")
print(f"Target Scope: {TARGET_SCOPE}")

Function Endpoint: http://localhost:7071/api/GetSPToken
Target Scope: https://management.azure.com/.default


In [35]:
import shutil
import os

# Check if Azure CLI is installed
az_path = shutil.which('az')
if az_path:
    print(f"✓ Azure CLI found at: {az_path}")
    AZ_COMMAND = az_path  # Use the full path
else:
    # Try common Windows Azure CLI installation paths
    common_paths = [
        r"C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az.cmd",
        r"C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd",
        r"C:\Program Files\Azure CLI\az.cmd"
    ]
    
    AZ_COMMAND = None
    for path in common_paths:
        if os.path.exists(path):
            print(f"✓ Azure CLI found at: {path}")
            AZ_COMMAND = path
            break
    
    if not AZ_COMMAND:
        print("✗ Azure CLI not found in PATH or common locations")
        print("  Install it from: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli")

# Also check environment PATH
print(f"\nPATH environment variable includes:")
for path in os.environ.get('PATH', '').split(os.pathsep)[:5]:
    print(f"  - {path}")

✓ Azure CLI found at: C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az.CMD

PATH environment variable includes:
  - d:\fabric-functionHubSpoke\.venv\Scripts
  - C:\Program Files\Microsoft\jdk-17.0.17.10-hotspot\bin
  - C:\Program Files\PowerShell\7
  - C:\Program Files\Eclipse Adoptium\jdk-25.0.1.8-hotspot\\bin
  - C:\Program Files\Eclipse Adoptium\jdk-25.0.1.8-hotspot\bin


In [39]:
# Get Azure AD Token using Azure CLI
print("Retrieving Azure AD token...\n")

if AZ_COMMAND is None:
    print("✗ Cannot retrieve token: Azure CLI is not installed")
    print("  Please install Azure CLI from: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli")
    token = None
else:
    try:
        result = subprocess.run(
            [AZ_COMMAND, "account", "get-access-token", 
             "--resource", "https://management.azure.com",
             "--query", "accessToken",
             "--output", "tsv"],
            capture_output=True,
            text=True,
            timeout=10
        )
        
        if result.returncode == 0:
            token = result.stdout.strip()
            print(f"✓ Token retrieved successfully")
            print(f"  Token length: {len(token)} characters")
            print(f"  Token preview: {token[:50]}...")
        else:
            print(f"✗ Error retrieving token:")
            print(f"  Error: {result.stderr}")
            if "not logged in" in result.stderr.lower():
                print("  → Run 'az login' to authenticate with Azure")
            token = None
    except Exception as e:
        print(f"✗ Exception: {e}")
        token = None

Retrieving Azure AD token...

✓ Token retrieved successfully
  Token length: 3008 characters
  Token preview: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6InNNMV...


In [38]:
# For local testing, we can use any Bearer token (JWT validation is skipped in local dev mode)
# Let's reuse the management token or just use a dummy one for local dev

print("Preparing Bearer token for API call...\n")

# Try to use the token from the previous cell, or the management token
if 'token' in locals() and token:
    print(f"✓ Using existing token for API call")
    print(f"  Token length: {len(token)} characters")
    print(f"  Token preview: {token[:50]}...")
else:
    print("⚠ No token available - function will use local dev mode (JWT validation skipped)")
    token = "local-dev-token"  # Placeholder for local testing

Retrieving Azure AD token with correct Function App audience...

✗ Error retrieving token:
  Error: ERROR: AADSTS100040: AppId: '04b07795-8ddb-461a-bbee-02f9e1bf7b46' can not use Managed Service Identity (MSI) as audience in token as it is unsupported. MSI should not be set as audience as it does not accept tokens. Trace ID: 19b87e48-eb88-4023-b3ea-16c495970b00 Correlation ID: e23a55f4-4b09-4def-b159-2d56c9702b07 Timestamp: 2026-02-23 20:58:43Z
Run the command below to authenticate interactively; additional arguments may be added as needed:
az logout
az login --tenant "c869cf92-11d8-4fbc-a7cf-6114d160dd71" --scope "1dbe7604-4c66-4d06-859e-06230744526c/.default"



In [41]:
# Test the GetSPToken Endpoint
print(f"\n{'='*60}")
print("Testing GetSPToken Endpoint")
print(f"{'='*60}\n")

if token is None:
    print("✗ Cannot test without a valid token")
else:
    try:
        # Prepare request
        headers = {
            "Authorization": f"Bearer {token}",
            "Content-Type": "application/json"
        }
        
        body = {
            "targetScope": TARGET_SCOPE
        }
        
        print(f"Request Details:")
        print(f"  Method: POST")
        print(f"  URL: {FUNCTION_ENDPOINT}")
        print(f"  Body: {json.dumps(body, indent=2)}")
        print(f"\n  Authorization: Bearer {token[:50]}...\n")
        
        # Make request
        print("Sending request...")
        response = requests.post(
            FUNCTION_ENDPOINT,
            headers=headers,
            json=body,
            timeout=10
        )
        
        # Display results
        print(f"✓ Response received!")
        print(f"  Status Code: {response.status_code}")
        print(f"  Content-Type: {response.headers.get('Content-Type', 'N/A')}")
        print(f"  Response Time: {response.elapsed.total_seconds():.2f}s\n")
        
        # Parse and display response body
        if response.status_code == 200:
            result_data = response.json()
            print("✓ Success Response:")
            print(json.dumps(result_data, indent=2))
        else:
            print(f"✗ Error Response ({response.status_code}):")
            try:
                print(json.dumps(response.json(), indent=2))
            except:
                print(response.text)
                
    except requests.exceptions.ConnectionError:
        print("✗ Connection Error!")
        print("  Make sure the function host is running: func start")
    except requests.exceptions.Timeout:
        print("✗ Request Timeout")
    except Exception as e:
        print(f"✗ Exception: {e}")


Testing GetSPToken Endpoint

Request Details:
  Method: POST
  URL: http://localhost:7071/api/GetSPToken
  Body: {
  "targetScope": "https://management.azure.com/.default"
}

  Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6InNNMV...

Sending request...
✓ Response received!
  Status Code: 200
  Content-Type: application/json
  Response Time: 5.70s

✓ Success Response:
{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6InNNMV95QXhWOEdWNHlOLUI2ajJ4em1pazVBbyIsImtpZCI6InNNMV95QXhWOEdWNHlOLUI2ajJ4em1pazVBbyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvYzg2OWNmOTItMTFkOC00ZmJjLWE3Y2YtNjExNGQxNjBkZDcxLyIsImlhdCI6MTc3MTg4MDE0NCwibmJmIjoxNzcxODgwMTQ0LCJleHAiOjE3NzE4ODQwNDQsImFpbyI6IkFXUUFtLzhiQUFBQTVqQjlydE1jdk43TkZnWjdySWREMGVmb0VQYWl1bzdCdGQrMk4yYVdUNXBnaVB5cUE1MCt2dmlFMDhDaU9UekpHQXNZcUVyWjF6QnFKSEdtM2tSaHJDcUtBcDFUclJRbWhUMnhWZDJ1NVo3UzBFZng5TEJOcUlLZE5ZRTdhYXl1IiwiYXBwaWQiOiJiODZhYThlMi0wMjdiLTQ4ODUtYTM0OS1

In [42]:
import base64
import jwt
from datetime import datetime

# Validate the SP Token returned by the production function
print(f"\n{'='*60}")
print("Validating Service Principal Token (Production API)")
print(f"{'='*60}\n")

if 'result_data' not in globals() or result_data is None:
    print("✗ No response data available. Run the endpoint test first.")
else:
    try:
        # Check for error in response
        if result_data.get('error'):
            print(f"✗ API Error: {result_data.get('error')}")
            print(f"  Message: {result_data.get('message', 'N/A')}")
            exit(1)
        
        # Extract token from response
        sp_token = result_data.get('access_token')
        
        if not sp_token:
            print("✗ No access token in response")
            print(f"Response data: {json.dumps(result_data, indent=2)}")
        else:
            print(f"✓ SP Token received from production API")
            print(f"  Token length: {len(sp_token)} characters")
            print(f"  Token type: {result_data.get('token_type')}")
            print(f"  Expires in: {result_data.get('expires_in')} seconds\n")
            
            # Decode JWT (without verification for inspection)
            try:
                decoded = jwt.decode(sp_token, options={"verify_signature": False})
                
                print("✓ SP Token Details:")
                print(f"  Issuer: {decoded.get('iss', 'N/A')}")
                print(f"  Service Principal AppID: {decoded.get('appid', 'N/A')}")
                print(f"  Audience: {decoded.get('aud', 'N/A')}")
                print(f"  Issued At: {datetime.fromtimestamp(decoded.get('iat', 0))}")
                
                # Check expiration
                exp_timestamp = decoded.get('exp')
                if exp_timestamp:
                    exp_datetime = datetime.fromtimestamp(exp_timestamp)
                    now = datetime.now()
                    if exp_datetime > now:
                        time_remaining = (exp_datetime - now).total_seconds() / 3600
                        print(f"  ✓ Expires in: {time_remaining:.2f} hours")
                
                print(f"\n✓ Caller Information:")
                caller = result_data.get('caller', {})
                print(f"  Type: {caller.get('type')} - {'Interactive User' if caller.get('type') == 'USER' else 'Pipeline/MSI'}")
                print(f"  OID: {caller.get('oid')}")
                print(f"  Display: {caller.get('display')}")
                print(f"  Is Pipeline: {caller.get('is_pipeline')}")
                
                print(f"\n✓ Service Principal Token is VALID and ready to use!")
                
            except jwt.DecodeError as e:
                print(f"✗ Failed to decode token: {e}")
                
    except Exception as e:
        print(f"✗ Exception: {e}")
        import traceback
        traceback.print_exc()


Validating Service Principal Token (Production API)

✓ SP Token received from production API
  Token length: 1868 characters
  Token type: Bearer
  Expires in: 3599 seconds

✓ SP Token Details:
  Issuer: https://sts.windows.net/c869cf92-11d8-4fbc-a7cf-6114d160dd71/
  Service Principal AppID: b86aa8e2-027b-4885-a349-ff7c929bf95b
  Audience: https://management.azure.com
  Issued At: 2026-02-23 15:55:44
  ✓ Expires in: 1.00 hours

✓ Caller Information:
  Type: USER - Interactive User
  OID: local-test-user
  Display: local-dev@test.com
  Is Pipeline: False

✓ Service Principal Token is VALID and ready to use!
