# Azure Entra ID Client Example

In this notebook, we'll demonstrate how you, as a programmatic client, can call Azure Entra ID to receive an appropriate JSON web token (JWT) to represent that you have appropriate security and authorization. We'll stop short of demonstrating how we would pass this JWT to the secured application we're looking to invoke.

## Notebook Setup
In this brief section, we'll set ourselves up for success by importing the required Python packages and load up sensitive credentials from a local `.env` file. Using a `.gitignore` file, you will not see this file in GitHub. In terms of this notebook, the only sensitive credential we will be using is the Entra ID client secret.

In [1]:
# Importing the necessary Python libraries
import os
import jwt
import json
import msal
from dotenv import load_dotenv

# Loading sensitive credentials from a local .env file (Not uploaded to GitHub!)
load_dotenv("../.env")

True

## Entra ID Setup
We'll now establish all our information we'll need to appropriately invoke Entra ID. Please note: this information will be proprietary to YOU! The code I am testing with will no longer work even for myself as I am continuously rebuilding / redestroying the Azure Entra ID infrastructure. If you would like to see Terraform to build the Entra ID resources, including the Entra ID client we are using here, please see the Terraform code under `/terraform/azure` directory at the root of this repo.

In [2]:
# Setting all the Entra ID information
ENTRA_TENANT_ID = '8a38e389-2bd0-416c-82c8-c6cd072a20b7'
ENTRA_CLIENT_ID = '1c9a45b5-75ac-4db0-8070-41a1466ee4f7'
ENTRA_CLIENT_SECRET = os.environ['ENTRA_CLIENT_SECRET']
ENTRA_SERVER_API = 'api://8a38e389-2bd0-416c-82c8-c6cd072a20b7/my-example-api'

In [3]:
# Establishing the object for connecting to client Entra ID app registration
entra_app_registration = msal.ConfidentialClientApplication(
    client_id = ENTRA_CLIENT_ID,
    client_credential = ENTRA_CLIENT_SECRET,
    authority = f'https://login.microsoftonline.com/{ENTRA_TENANT_ID}'
)

## Getting Credentials from Entra ID
Now that we have set up what we need to get our credentials in Azure Entra ID, we are ready to retrieve those credentials from Entra ID!

In [4]:
# Fetching the response from the Entra ID issuer
response = entra_app_registration.acquire_token_for_client(
    scopes = [
        f'{ENTRA_SERVER_API}/.default'
    ]
)

# Getting the JWT token from the response
token = response['access_token']

In [None]:
# Getting the JWT token from the response
token = response['access_token']

# Decoding the JWT token
decoded_token = jwt.decode(token, options = {"verify_signature": False})

# Printing the decoded JWT token in a readable format
print(json.dumps(decoded_token, indent = 4))

{
    "aud": "api://8a38e389-2bd0-416c-82c8-c6cd072a20b7/my-example-api",
    "iss": "https://sts.windows.net/8a38e389-2bd0-416c-82c8-c6cd072a20b7/",
    "iat": 1771549673,
    "nbf": 1771549673,
    "exp": 1771553573,
    "aio": "k2ZgYOi4fkOz6KnQhHP6r6w1VzyqBgA=",
    "appid": "1c9a45b5-75ac-4db0-8070-41a1466ee4f7",
    "appidacr": "1",
    "idp": "https://sts.windows.net/8a38e389-2bd0-416c-82c8-c6cd072a20b7/",
    "oid": "520b738f-73e4-44e0-a148-1ff4b0050956",
    "rh": "1.AUYAieM4itArbEGCyMbNByogtzWVUOsRPDZMtfMY7Q9NEDAAAABGAA.",
    "roles": [
        "MyApi.Read",
        "MyApi.Write"
    ],
    "sub": "520b738f-73e4-44e0-a148-1ff4b0050956",
    "tid": "8a38e389-2bd0-416c-82c8-c6cd072a20b7",
    "uti": "2pcA_EWzGEeJ3_txXq2fAA",
    "ver": "1.0",
    "xms_ftd": "V1tEr38ZMquQRNLlVLDr6bU4FeDJFaGL_lYQiksOyo4BdXNzb3V0aC1kc21z"
}
