oAuth2.0 authentication using certificate

Shiv Khullar 1 Reputation point
2021-01-14T03:41:55.793+00:00

Hi,

Need help with how to make a oAuth2.0 authentication with Azure login API (first call where we generate the access token - https://login.microsoftonline.com/tenantid/oauth2/v2.0/token) using certificate in key vault.

I need to use client assertion instead of client secret to generate the access token. Any idea how we could generate client assertion in Java for Azure. Any help with some Java code snippet would be helpful. I know its JWT token signed with certificate key.

Thanks in advance.

Thanks,
Shiv

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,354 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,944 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,640 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ryan Hill 26,136 Reputation points Microsoft Employee
    2021-01-14T23:53:16.747+00:00

    Hi @Shiv Khullar ,

    I believe https://learn.microsoft.com/en-us/azure/architecture/multitenant-identity/client-assertion is what you're looking for. It has a sample REST call you would make for client assertion 

    POST https://login.microsoftonline.com/b9bd2162xxx/oauth2/token HTTP/1.1  
Content-Type: application/x-www-form-urlencoded  
  
resource=https://tailspin.onmicrosoft.com/surveys.webapi  
  &client_id=87df91dc-63de-4765-8701-b59cc8bd9e11  
  &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer  
  &client_assertion=eyJhbGci...  
  &grant_type=authorization_code  
  &code= PG8wJG6Y...

    I wasn't able to find any code samples using client assertion but since the SDK is open source, perhaps this could be a useful guide. If you don't find what you're looking for, I would suggest creating a new issue in the repo.

    Regards,
    Ryan

  2. Shiv Khullar 1 Reputation point
    2021-01-15T15:26:30.35+00:00

    More details on this -

    We would like to use oAuth2.0 for Azure Datalake APIs. We have been successful in implementing the oAuth2.0 authentication using client id and client secret. All this works good.

    Next, instead of using client secret for oAuth2.0 , we would like to generate the access token (to be used in subsequent Azure API calls) via the client certificate stored in Azure key vault. So, basically two step process from what I have understood so far -

    1. Connect to key vault to fetch the certificate. Do we need certificate at our end locally or do we need only details about the certificate (via another REST call). If we need a certificate locally at our end, how would we connect to key vault if the certificate expires. I feel we need to only connect and download only when the certificate we already have locally expires.
    2. Say we have a certificate, we need to generate client assertion for the Azure login call to generate the access token. Do we have a sample in Java or so to generate a client assertion which is a JWT token signed with the certificate.

    Any help on this would be appreciated.

    0 comments
  3. honey porwal 1 Reputation point
    2021-04-07T06:36:46.45+00:00

    Even i’m also facing the same problem..
    How can we generate jwt token from client certificate?
    Can we use client certificate thumbprint instead of jwt token?

    0 comments
  4. ohmygod 1 Reputation point
    2021-06-17T15:56:47.447+00:00

    Did anyone solve this, via ticket etc?

    Its a nightmare working with this

    https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Client-Assertions
    talks about string signedClientAssertion = ComputeAssertion();

    thought .Net...wanted to see how that is done.

    How to let Microsoft know about this issue??

    0 comments