1

We are working on our dev environment around Azure ML and Python.

As part of this, we are using azure-identity (DefaultAzureCredential) for authorization. This is going to either match a CLI credential or a "VSCode-logged-in" credential.

We would programatically like to know which user (identified by email address or ID) is currently present. How would we do this?

from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()
token = credential.get_token("https://management.azure.com/", scopes=["user.read"])

current_user_id = ???

Update 1

As suggested by @xyan I can deconstruct the token to retrieve information about user accounts:

import json
import base64
from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()
token = credential.get_token("https://management.azure.com/", scopes=["user.read"])

base64_meta_data = token.token.split(".")[1].encode("utf-8") + b'=='
json_bytes = base64.decodebytes(base64_meta_data)
json_string = json_bytes.decode("utf-8")
json_dict = json.loads(json_string)
current_user_id = json_dict["upn"]
print(f"{current_user_id=}")

This works for user accounts, but not for service principals. In that case, it fails retrieving the token:

DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
    EnvironmentCredential: Authentication failed: ClientApplication.acquire_token_silent_with_error() got multiple values for argument 'scopes'

What would be a proper scope that could retrieve upn/oid for various types of clients?

casparjespersen
  • 3,460
  • 5
  • 38
  • 63
  • Provide more information, what is it you're attempting to do, are you wanting to list login users using Azure ML service or get Identity claim information on the current user login to Azure ML. The snippet code provided, token, is the access token (see content https://www.jstoolset.com/jwt) to a resource of for an identity, DefaultAzureCredentials automatically looks for credential in 5 specific "location", see diagram, https://learn.microsoft.com/en-us/python/api/overview/azure/identity-readme?view=azure-python – MZM Dec 07 '22 at 16:52
  • @MZM I would like to know who the acquired credential belongs to. We are on an AD setup, so "users" would be devs all in our company: foo@ourcompany.com, bar@ourcompany.com, etc. Hence, I need a mapping from the acquired credential to this email address (or some equivalent unique ID, to which I can identify them later on again). Essentially like doing an `az account show` and reading $.user.email. – casparjespersen Dec 08 '22 at 07:00
  • from doc, {upn String The username of the user. May be a phone number, email address, or unformatted string. Should only be used for display purposes and providing username hints in reauthentication scenarios.} here, https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens. View the payload of the token, and see what (default Microsoft) fields are included for a service principal. If upn not passed them maybe there is way include it. – MZM Dec 12 '22 at 15:22
  • 1
    this site provides a step-by-step instructions for adding custom JWT attributes for a service principal in code and using Azure AD Claims Policy (includes reference links) https://ssrikantan.github.io/blog/2020/02/28/az-ad-jwt-token-custom-attribs. – MZM Dec 12 '22 at 16:04

1 Answers1

0

You can try parse the token to get the client id, tenant id information. Sample code: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/azure/identity/_internal/decorators.py#L38.

(I work in the Azure SDK team in Microsoft)

Xiang Yan
  • 194
  • 6
  • Thanks @xyan. This works for user accounts, but fails on service principals (token acquisition fails). I have updated my original question with details. Could you suggest an alternative scope to query that would work for both? – casparjespersen Dec 10 '22 at 08:11