Client credentials - AzureAD/azure-activedirectory-library-for-python GitHub Wiki

There are two types of client credentials in ADAL Python:

• Application Secrets
• Certificates

Client Credentials with application secret

During the registration of a the confidential client application with Azure AD, a client secret is generated (a kind of application password). When the client wants to acquire a token in its own name it will need to call the acquire_token_with_client_credentials method and pass in the parameters client_id and client_secret.

Client Credentials with certificate

In this case, when the application is registered with Azure AD, it uploads the public key of a certificate. When it wants to acquire a token, the client application will need to call the acquire_token_with_client_certificate method by passing the parameters client_id, certificate and thumbprint.

Steps to generate certificate and private key to be used when implementing the client credential flow are as follows:

1. Generate a key:

   openssl genrsa -out server.pem 2048

2. Create a certificate request:

   openssl req -new -key server.pem -out server.csr

3. Generate a certificate:

   openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crt

4. You will have to upload this certificate (server.crt) on Azure Portal in your application settings. Once you save this certificate, the portal will give you the thumbprint of this certificate which is needed in the acquire token call. The key will be the server.pem key you generated in the first step.

5. Now you can create the credential for the client credential flow using certificate in ADAL Python as follows:

client_credentials = {
    "client_id": <your app id>,
    "thumbprint": <thumbprint of cert file>,
    "certificate": <key file name>
 }