question

ShivKhullar-7054 avatar image
0 Votes"
ShivKhullar-7054 asked ohmygod-2829 answered

oAuth2.0 authentication using certificate

Hi,

Need help with how to make a oAuth2.0 authentication with Azure login API (first call where we generate the access token - https://login.microsoftonline.com/tenantid/oauth2/v2.0/token) using certificate in key vault.

I need to use client assertion instead of client secret to generate the access token. Any idea how we could generate client assertion in Java for Azure. Any help with some Java code snippet would be helpful. I know its JWT token signed with certificate key.

Thanks in advance.

Thanks,
Shiv

azure-data-lake-storageazure-ad-saml-ssoazure-webapps-ssl-certificatesazure-ad-app-development
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ryanchill avatar image
0 Votes"
ryanchill answered ShivKhullar-7054 commented

Hi @ShivKhullar-7054,

I believe https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/client-assertion is what you're looking for. It has a sample REST call you would make for client assertion

 POST https://login.microsoftonline.com/b9bd2162xxx/oauth2/token HTTP/1.1
 Content-Type: application/x-www-form-urlencoded
    
 resource=https://tailspin.onmicrosoft.com/surveys.webapi
   &client_id=87df91dc-63de-4765-8701-b59cc8bd9e11
   &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
   &client_assertion=eyJhbGci...
   &grant_type=authorization_code
   &code= PG8wJG6Y...

I wasn't able to find any code samples using client assertion but since the SDK is open source, perhaps this could be a useful guide. If you don't find what you're looking for, I would suggest creating a new issue in the repo.

Regards,
Ryan


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks Ryan. I have few questions
- Do we need to download a certificate to generate the client assertion or do we only need certificate parameters to generate the client assertion.
- If the certificate is stored in key vault and we connect to key vault via the oauth2.0 certificate authentication and if certificate what we have is now expired at our end, how would we connect to key vault. Looks like chicken and egg thing.



I am still trying to get my head around this. Any help would be appreciated.





0 Votes 0 ·
ShivKhullar-7054 avatar image
0 Votes"
ShivKhullar-7054 answered

More details on this -

We would like to use oAuth2.0 for Azure Datalake APIs. We have been successful in implementing the oAuth2.0 authentication using client id and client secret. All this works good.

Next, instead of using client secret for oAuth2.0 , we would like to generate the access token (to be used in subsequent Azure API calls) via the client certificate stored in Azure key vault. So, basically two step process from what I have understood so far -

  1. Connect to key vault to fetch the certificate. Do we need certificate at our end locally or do we need only details about the certificate (via another REST call). If we need a certificate locally at our end, how would we connect to key vault if the certificate expires. I feel we need to only connect and download only when the certificate we already have locally expires.


  2. Say we have a certificate, we need to generate client assertion for the Azure login call to generate the access token. Do we have a sample in Java or so to generate a client assertion which is a JWT token signed with the certificate.

Any help on this would be appreciated.




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

honeyporwal-6302 avatar image
0 Votes"
honeyporwal-6302 answered

Even i’m also facing the same problem..
How can we generate jwt token from client certificate?
Can we use client certificate thumbprint instead of jwt token?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ohmygod-2829 avatar image
0 Votes"
ohmygod-2829 answered

Did anyone solve this, via ticket etc?

Its a nightmare working with this

https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Client-Assertions
talks about string signedClientAssertion = ComputeAssertion();

thought .Net...wanted to see how that is done.

How to let Microsoft know about this issue??

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.