We have AAP 2.5 setup with AzureAD auth type. I would like to know if it is possible to use a token from my user via an App Registration to access AAP API’s.
So far, I have setup an App Registration that works for AAP SSO. The RedirectURI is <fqdn>/api/gateway/social/complete/authenticator-azuread/
.
I would like to az cli to get a token that works with AAP.
The app registration is setup as follows:
- Under “Expose an API”. Add an
Application ID URI
. Which looks likeapi://9585754c-4bcb-4db1-8953-xxxxxxxxx
- Under “Expose an API/Scopes defined by this API”. Add a new scope and allow “Admins and Users” consent. The new scope is
api://9585754c-4bcb-4db1-8953-xxxxxxxxx/API.Write
- Under “Expose an API/Authorized client applications”. Add
04b07795-8ddb-461a-bbee-02f9e1bf7b46
for the azure-cli. - Under “API permissions”, add the new scope as “Delegated” type.
The enterprise application is setup as follows:
- Under “Permissions/Admin consent”. Add “API.Write”
Login and get the token:
az login --scope api://9585754c-4bcb-4db1-8953-xxxxxxxxx/API.Write --allow-no-subscriptions --tenant <tenant>
az account get-access-token --resource "api://9585754c-4bcb-4db1-8953-xxxxxxxxx" --scope "api://9585754c-4bcb-4db1-8953-xxxxxxxxx/API.Write" --query accessToken -o tsv
Try to use the AWX CLI with the token:
export AWXKIT_API_BASE_PATH='/api/controller/'
awx --conf.host https://aap-dev.ds.acc.co.nz --conf.token "<AZCLITOKEN>" hosts list -k -v
This has an error:
Valid credentials were not provided.
<class 'awxkit.exceptions.Unauthorized'>
And trying to use this token on the API:
curl --location 'https://fqdn/api/gateway/v1/status/' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <AZCLITOKEN>'
Has an error:
Authentication credentials were not provided.
Is it possible to use an oauth token from an app registration that is used for SSO to AAP?