2121 MSI_V2_VERBOSE - Set to "1" for verbose logging
2222"""
2323
24- import json
2524import logging
2625import os
2726import sys
@@ -80,33 +79,29 @@ def main():
8079 )
8180
8281 if "access_token" not in result :
83- logger .error ("Token acquisition failed:" )
84- logger .error (" %s" , json .dumps (result , indent = 2 ))
82+ # Only log error code/description — never log tokens or secrets
83+ logger .error ("Token acquisition failed: %s - %s" ,
84+ result .get ("error" , "unknown" ),
85+ result .get ("error_description" , "no description" ))
8586 sys .exit (1 )
8687
8788 token_type = result .get ("token_type" , "unknown" )
8889 expires_in = result .get ("expires_in" , 0 )
89- cert_thumbprint = result .get ("cert_thumbprint_sha256" , "N/A" )
90- token_preview = result ["access_token" ][:40 ] + "..."
9190
9291 logger .info ("Token acquired successfully!" )
93- logger .info (" token_type: %s" , token_type )
94- logger .info (" expires_in: %s seconds" , expires_in )
95- logger .info (" cert_thumbprint: %s" , cert_thumbprint )
96- logger .info (" token (preview): %s" , token_preview )
92+ logger .info (" token_type: %s" , token_type )
93+ logger .info (" expires_in: %s seconds" , expires_in )
9794
98- # Strict mode: token_type must be mtls_pop
9995 if token_type != "mtls_pop" :
10096 logger .warning (
101- "Expected token_type='mtls_pop' but got '%s'. "
102- "The VM may not support MSI v2." , token_type )
97+ "Expected token_type='mtls_pop' but got '%s'." , token_type )
10398
10499 # --- Verify binding ---
105100 from msal .msi_v2 import verify_cnf_binding
106101 cert_pem = result .get ("cert_pem" , "" )
107102 if cert_pem :
108103 bound = verify_cnf_binding (result ["access_token" ], cert_pem )
109- logger .info (" cnf binding: %s" , "VERIFIED" if bound else "FAILED" )
104+ logger .info (" cnf binding: %s" , "VERIFIED" if bound else "FAILED" )
110105 if not bound :
111106 logger .error ("Token is NOT bound to the certificate!" )
112107 sys .exit (1 )
@@ -115,25 +110,23 @@ def main():
115110 if resource_url :
116111 logger .info ("Calling resource: %s" , resource_url )
117112
118- # For mTLS resource calls, we need to present the same cert.
119- # Note: The cert_pem + private key are bound in the KeyGuard key;
120- # the actual mTLS resource call would need WinHTTP or a similar
121- # mechanism. This is a demonstration of the Authorization header.
113+ # Note: mTLS resource calls require presenting the same cert.
114+ # The cert + private key are bound via KeyGuard; a real mTLS call
115+ # would use WinHTTP/SChannel. This demonstrates the auth header.
116+ access_token = result [ "access_token" ]
122117 headers = {
123- "Authorization" : f"{ token_type } { result [ ' access_token' ] } ,
118+ "Authorization" : f"{ token_type } { access_token } ,
124119 "Accept" : "application/json" ,
125120 }
126121
127122 try :
128123 resp = http_session .get (resource_url , headers = headers )
129124 logger .info (" Status: %d" , resp .status_code )
130- if resp .ok :
131- logger .info (" Response (first 200 chars): %s" ,
132- resp .text [:200 ])
133- else :
134- logger .warning (" Response: %s" , resp .text [:500 ])
125+ if not resp .ok :
126+ logger .warning (" Request failed with status %d" ,
127+ resp .status_code )
135128 except Exception as exc :
136- logger .warning (" Resource call failed: %s" , exc )
129+ logger .warning (" Resource call failed: %s" , type ( exc ). __name__ )
137130 logger .info (
138131 "Note: mTLS resource calls may require WinHTTP/SChannel; "
139132 "the requests library may not present the mTLS cert." )
0 commit comments