Azure ADAL for Python - 面向acquire_token_with_username_password方法的问题

时间:2017-06-07 13:41:09

标签: python azure adal azure-sdk-python

我正在尝试使用azure用户ID和密码检索访问令牌。 最初我尝试使用以下python代码块

import adal
context = adal.AuthenticationContext(AUTHORITY)
token = context.acquire_token_with_client_credentials(
    "https://management.azure.com/",
    CLIENT_ID,
    CLIENT_SECRET)

这将返回令牌而没有任何问题。 我正在关注https://github.com/AzureAD/azure-activedirectory-library-for-python中的示例,以使用用户名和密码检索令牌,代码块如下所示

token2 = context.acquire_token_with_username_password("https://management.azure.com/",USER_NAME,PASSWORD,CLIENT_ID)

在这种情况下,不返回令牌,而是返回响应。

File "F:\All_Python\Python_Setup\Python27\lib\site-packages\adal\authentication_context.py", line 145, in acquire_token_with_username_password
    return self._acquire_token(token_func)
  File "F:\All_Python\Python_Setup\Python27\lib\site-packages\adal\authentication_context.py", line 109, in _acquire_token
    return token_func(self)
  File "F:\All_Python\Python_Setup\Python27\lib\site-packages\adal\authentication_context.py", line 143, in token_func
    return token_request.get_token_with_username_password(username, password)
  File "F:\All_Python\Python_Setup\Python27\lib\site-packages\adal\token_request.py", line 286, in get_token_with_username_password
    token = self._get_token_username_password_federated(username, password)
  File "F:\All_Python\Python_Setup\Python27\lib\site-packages\adal\token_request.py", line 252, in _get_token_username_password_federated
    username, password)
  File "F:\All_Python\Python_Setup\Python27\lib\site-packages\adal\token_request.py", line 211, in _perform_username_password_for_access_token_exchange
    username, password)
  File "F:\All_Python\Python_Setup\Python27\lib\site-packages\adal\token_request.py", line 198, in _perform_wstrust_exchange
    result = wstrust.acquire_token(username, password)
  File "F:\All_Python\Python_Setup\Python27\lib\site-packages\adal\wstrust_request.py", line 160, in acquire_token
    raise AdalError(return_error_string, error_response)
adal.adal_error.AdalError: WS-Trust RST request returned http error: 500 and server response: <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action><o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><u:Timestamp u:Id="_0"><u:Created>2017-06-07T12:12:56.567Z</u:Created><u:Expires>2017-06-07T12:17:56.567Z</u:Expires></u:Timestamp></o:Security></s:Header><s:Body><s:Fault><s:Code><s:Value>s:Sender</s:Value><s:Subcode><s:Value xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:FailedAuthentication</s:Value></s:Subcode></s:Code><s:Reason><s:Text xml:lang="en-US">ID3242: The security token could not be authenticated or authorized.</s:Text></s:Reason></s:Fault></s:Body></s:Envelope>

Process finished with exit code 1

如果有人对此有任何疑问,请告诉我。

1 个答案:

答案 0 :(得分:0)

根据错误堆栈的信息,根据我的经验,由于错误来自方法_get_token_username_password_federated和500个错误代码的WS-Trust RST请求,似乎您用于获取的用户/密码未在应用的Azure AD中创建的令牌已注册,但看起来像是在联合AD中创建的。

请尝试以下两种方式检查问题。

  1. 使用您的管理员帐户在Azure门户网站上注册的应用的Azure AD中创建新用户,然后使用新的用户/密码检索令牌。
  2. 检查Azure AD配置,以确保部署的Active Directory联合身份验证服务以及在联合AD实例中创建的当前使用/密码。