{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 叛逆 的问题《Azure Service Management API authentication using》','https://www.manongdao.com/q-824875.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'd like to authenticate to the Azure Service Management API using Azure AD through curl.
I set up an application within my default directory. In this free trial subcription that's the only directory I have.
When I target the oauth token endpoint I receive a JWT.
curl --data "grant_type=client_credentials&client_id=<my_client_id>&client_secret=<my_encoded_secret>&resource=https%3A%2F%2Fmanagement.core.windows.net" https://login.windows.net/<my_tenant_id>/oauth2/token
But when I use that token to list my subscription details I receive an error:
curl -H "x-ms-version: 2014-06-01" \
-H "Authorization: Bearer <my_token>" \
https://management.core.windows.net/<my_subscription_id>/
<Error xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<Code>ForbiddenError</Code>
<Message>The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.</Message>
</Error>
I have granted permissions to the Service Management API for the application as "Delegated permissions", because "Application permissions" are not available.
What am I missing?
This isn't possible due to the Application Permissions: 0 setting for the Service Management API. The client_credentials grant type uses credentials from the application (client_id and client_secret), and since the application does not have permissions for this API the call fails.
Since the Service Management API will not allow application permissions of any kind, we must use the authorization_code grant type or some other method to obtain a user token.