我正试图通过使用以下示例将Azure密钥库集成到我的PHP应用程序中。
https://github.com/bentaylorwork/php-azure-key-vault
和使用https://tsmatz.wordpress.com/2017/03/03/azure-rest-api-with-certificate-and-service-principal-by-silent-backend-daemon-service/参考
使用文章中提到的方法和GIT库,我能够从Azure密钥库中获取我的秘密。然而,这里的挑战是,所述方法使用客户端机密而不是证书进行身份验证(这是我的首选方法(。
我已经对上述库进行了相同的更改,并发送了以下认证请求:
public static function getKeyVaultToken(array $azureAppDetails)
{
$guzzle = new GuzzleHttpClient();
$token = $guzzle->post(
"https://login.microsoftonline.com/{$azureAppDetails['appTenantDomainName']}/oauth2/token",
[
'form_params' => [
'client_id' => $azureAppDetails['clientId'],
'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
'resource' => 'https://management.azure.com/',
'grant_type' => 'client_credentials',
'client_assertion' => '', // This contains JWT token consisting with header, payload and digital signature using key.
]
]
)->getBody()->getContents();
return json_decode($token, true)['access_token'];
}
这里的标题,有效载荷如下:
$header = json_encode(['x5t' => 'thumbprint of certificate uploaded on Aazure', 'alg' => 'RS256', 'typ' => 'JWT']);
$payload = json_encode(['aud' => "https://login.microsoftonline.com/$azureAppDetails['appTenantDomainName']/oauth2/token", "exp" => 1609372800, "iss" => "ClientID", "jti" => "77b2b25f-0288-471f-8b44-3f3c134c0d4f","nbf" => 1603929600,"sub" => "ClientID" ]);
此处的客户端断言是以下各项的组合:
base64uriencode($header).base64uriencode($payload).base65uriencode(digitalsignature)
当我发送带有所述参数的上述请求时,我得到以下错误:
Fatal error: Uncaught exception 'GuzzleHttpExceptionClientException' with message 'Client error: `POST https://login.microsoftonline.com/xxxxx.onmicrosoft.com/oauth2/token` resulted in a `401 Unauthorized` response: {"error":"invalid_client","error_description":"AADSTS700027: Client assertion contains an invalid signature. [Reason - T (truncated...)
如果能对我做错的事情提供任何帮助或指导,我们将不胜感激。
提前谢谢。
如果您使用的是服务主体,您可以像下面的示例一样发送主体ID和密钥,这就是我们在Azure Key Vault SDK for.NET和其他语言中所做的。您也发送了错误的资源:
grant_type=client_credentials&client_id={{clientId}}&client_secret={{clientSecret}}&resource=https://vault.azure.net
这将为您提供一个JSON有效负载,其中包含access_token
,您可以将其作为承载令牌传递到Authorization
标头中。