I have used this article [1] by Brady Gaster to develop a console app that is attempting (at the moment) to list the virtual machines I have running under one of my three subscriptions. However, although I am able to successfully popup an auth window, authenticate against the appropriate WAAD and get an access token, I am getting an unauthorized message when I them make the request to the Azure Management API at management.core.windows.net{subscriptionid}/services/hostedservices
I have a version that does work using the same logic but with a Management Certificate but i'd much rather get the oAuth version working.
I have tried logging in with a Microsoft account that has been added to the directory (in fact the one I use to log into the management portal) using https://login.windows.net/common/ as well as a local WAAD account that I have given global administrator privileges to, but although everything seems to go well, it still gives an Unauthorized exception.
Setting the context ....
AuthenticationContext context; if (Boolean.Parse(ConfigurationManager.AppSettings["UseMultiTenant"])) context = new AuthenticationContext("https://login.windows.net/common"); // use common if the user has multiple tenants else context = new AuthenticationContext(https://login.windows.net/ + ConfigurationManager.AppSettings["tenantId"]);
Auth dialog and access token request :
// get a result for a request for a token
AuthenticationResult ar = context.AcquireToken("https://management.core.windows.net/",
ConfigurationManager.AppSettings["clientId"],
new Uri(ConfigurationManager.AppSettings["redirectUri"]), PromptBehavior.Auto);
// store the acess token for future reference
OAuthHelper.ACCESS_TOKEN = ar.AccessToken;
Later create some cloud token creds:
Credentials = new Microsoft.WindowsAzure.TokenCloudCredentials(ConfigurationManager.AppSettings["subscriptionId"], Auth.OAuthHelper.ACCESS_TOKEN);
Later create a client to allow the requests to be made:
Client = CloudContext.Clients.CreateComputeManagementClient(Credentials);
I am at a loss as to why it isn't working. I have triple checked all the settings with different users and it works fine if I use a management cert against the same endpoint so it must be specific to the oAuth piece - or delegation.
Any ideas? This is an enterprise environment so we do have multiple subscriptions, multiple WAAD's under each subscription and lots of services under each subscription - so not sure if there are some gotchas I should be aware of.
I could push to Premier if need be but i'm hoping i'm missing a scope setting or something?
Many thanks,
/steven
@stevenlivz
[1] http://www.bradygaster.com/post/using-windows-azure-active-directory-to-authenticate-the-management-libraries