approles.go

package main

import (
	"fmt"
	"os"

	"github.com/Azure/go-autorest/autorest/azure"
	"github.com/Azure/go-autorest/autorest/azure/auth"
	"github.com/dgrijalva/jwt-go"
)

func main() {
	roles, err := appRoles()
	if err != nil {
		panic(err)
	}

	for _, role := range roles {
		if role == "Application.ReadWrite.OwnedBy" {
			fmt.Println("found role!")
		}
	}
}

type azureClaim struct {
	Roles []string `json:"roles,omitempty"`
}

func (*azureClaim) Valid() error {
	return fmt.Errorf("unimplemented")
}

func appRoles() (roles []string, err error) {
	cc := auth.ClientCredentialsConfig{
		ClientID:     os.Getenv(auth.ClientID),
		ClientSecret: os.Getenv(auth.ClientSecret),
		TenantID:     os.Getenv(auth.TenantID),
		Resource:     azure.PublicCloud.GraphEndpoint,
		AADEndpoint:  azure.PublicCloud.ActiveDirectoryEndpoint,
	}

	token, err := cc.ServicePrincipalToken()
	if err != nil {
		return
	}

	err = token.EnsureFresh()
	if err != nil {
		return
	}

	p := &jwt.Parser{}
	c := &azureClaim{}
	_, _, err = p.ParseUnverified(token.OAuthToken(), c)
	if err != nil {
		return
	}

	return c.Roles, nil
}