Add username + password authentication for service principals

[djberg96]

At the moment we require a client key, client ID and tenant ID for an application with access to the subscription in order to use the gem.

We should also allow authentication with just a username (service principal) and password, which is what the CLI allows with "azure login".

This should be pure Ruby, and only be implemented if no UI interaction and/or external web server is required.

[devigned]

This is going to be sketchy depending on if the user has multi factor auth turned on.

Check out: https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/blob/master/lib/token-request.js. This what CLI uses.

[devigned]

To expand a little more on my previous comment. It's recommended that service principals (tenant id, application id, client id, client secret) are recommended for use in automation environments.

Username and password authentication is recommended for interactive scenarios.

Azure CLI and PowerShell can help with provisioning of these Azure Active Directory constructs through the following.

$ azure ad
help:    Commands to display active directory objects
help:
help:    Commands to display active directory applications
help:      ad app create [options]
help:      ad app delete [options] <object-id>
help:
help:    Commands to display active directory groups
help:      ad group list [options]
help:      ad group show [options]
help:
help:    Commands to provide an active directory sub group or member info
help:      ad group member list [options] [objectId]
help:
help:    Commands to display active directory service principals
help:      ad sp list [options]
help:      ad sp show [options]
help:      ad sp create [options] <application-id>
help:      ad sp delete [options] <object-id>
help:
help:    Commands to display active directory users
help:      ad user list [options]
help:      ad user show [options]
help:
help:    Options:
help:      -h, --help  output usage information

[djberg96]

@devigned I've tried looking at the source, but I'm just not getting it. This is basically what we're doing now:

tenant_id  = 'xxxxxxx'
authority  = "https://login.windows.net/"
token_url  = authority + tenant_id + "/oauth2/token"

# Use client credentials approach
response = RestClient.post(
  token_url,
  :grant_type    => 'client_credentials',
  :client_id     => client_id,
  :client_secret => client_key,
  :resource      => resource_id
)

# Get token
token = JSON.parse(response)['access_token']

url = "https://management.azure.com/subscriptions/?api-version=2015-01-01"

# Pass token on all future requests
resp = RestClient.get(
  url,
  :content_type  => 'application/json',
  :authorization => 'Bearer ' + token
)

Is it simple to modify this to make it work with username + password? Or more involved?

[devigned]

This is a little late, so I apologize...

If you have multi-factor auth on, you will have to get the token through interactive login. If you'd like to do anything non-interactive, the guidance is to create a service principal. See: https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal/#authenticate-service-principal-with-password---azure-cli

[djberg96]

I think this is pretty much off the table I think, as it appears it would require firing up a web server and listening on an endpoint. We'll stick to service principal authentication.