我正在尝试使用 msal 节点从 azure 获取访问令牌,并且需要使用证书遵循服务原则。目前我正在使用密钥库 url 来读取证书。我的参考文档是https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/samples/msal-node-samples/auth-code-key-vault/index.js
const msal = require('@azure/msal-node');
const { DefaultAzureCredential } = require('@azure/identity');
const { CertificateClient } = require('@azure/keyvault-certificates');
const { SecretClient } = require('@azure/keyvault-secrets');
const getazureToken = async () => {
const credential = new DefaultAzureCredential();
const client = new CertificateClient(config.keyVaultUrl, credential);
const secretClient = new SecretClient(config.keyVaultUrl, credential);
const certResponse = await client.getCertificate(config.certificateName);
const thumbprint = certResponse.properties.x509Thumbprint.toString('hex');
const secretResponse = await secretClient.getSecret(config.certificateName);
const privateKey = secretResponse.value;
await msalApp(thumbprint, privateKey);
};
async function msalApp(thumbprint, privateKey) {
// Before running the sample, you will need to replace the values in the config
const msalConfig = {
auth: {
clientId: config.azureClientId,
authority: `${config.authorityUri}${config.tenantId}/`,
clientCertificate: {
thumbprint,
privateKey,
},
},
system: {
loggerOptions: {
loggerCallback(loglevel, message, containsPii) {
console.log('loglevel', loglevel, message);
},
piiLoggingEnabled: false,
logLevel: msal.LogLevel.Verbose,
},
},
};
// Create msal application object
const cca = new msal.ConfidentialClientApplication(msalConfig);
const authCodeUrlParameters = {
scopes: config.scope,
};
cca
.acquireTokenByClientCredential(authCodeUrlParameters)
.then((response) => {
console.log('==========> response', response);
})
.catch((error) =>
console.log('error------------->', JSON.stringify(error))
);
}
我也有 .pfx 证书文件。如果有帮助的话。