@@ -836,6 +836,41 @@ function token(session::Union{AzAuthCodeFlowSession, AzDeviceCodeFlowSession}, b
836836 end
837837end
838838
839+ """
840+ jwt_new = token_exchange(jwt[;
841+ client_id = AzSessions._manifest["client_id"],
842+ client_secret = AzSessions._manifest["client_secret"],
843+ scope = "https://management.azure.com/user_impersonation",
844+ tenant = AzSessions._manifest["tenant"])
845+
846+ Create a new JWT token `jwt_new` from an existing JWT token `jwt`. This allows
847+ applications to change the audience and act on behalf of the user using that new
848+ audience.
849+ """
850+ function token_exchange (jwt;
851+ client_id = _manifest[" client_id"
852+ client_secret = _manifest[" client_secret"
853+ scope= " https://management.azure.com/user_impersonation"
854+ tenant = _manifest[" tenant"
855+ b = Dict (
856+ " grant_type" => " urn:ietf:params:oauth:grant-type:jwt-bearer"
857+ " client_id" => client_id,
858+ " client_secret" => client_secret,
859+ " assertion" => jwt,
860+ " requested_token_use" => " on_behalf_of"
861+ " scope" => scope
862+ )
863+
864+ r = @retry 10 HTTP. request (
865+ " POST"
866+ " https://login.microsoftonline.com/$tenant /oauth2/v2.0/token"
867+ [" Content-Type" => " application/x-www-form-urlencoded"
868+ HTTP. URIs. escapeuri (b)
869+ )
870+
871+ r[" access_token"
872+ end
873+
839874#
840875# API
841876#
@@ -950,6 +985,6 @@ AzSession(jsonobject::String) = AzSession(JSON.parse(jsonobject))
950985
951986AzSession (session:: AzSessionAbstract ) = session
952987
953- export AzAuthCodeFlowCredentials, AzClientCredentials, AzDeviceCodeFlowCredentials, AzSession, AzSessionAbstract, AzVMCredentials, scrub!, token
988+ export AzAuthCodeFlowCredentials, AzClientCredentials, AzDeviceCodeFlowCredentials, AzSession, AzSessionAbstract, AzVMCredentials, scrub!, token, token_exchange
954989
955990end
0 commit comments