Login/Register
How to get client_assertion string
Asked Answered
azure-active-directoryadalmicrosoft-account
Q

1

11

I've written EWS application in C++. Currently it supports Basic and NTLM authentication, now trying to support OAuth authentication

Since it is C++ application I can't use .NET AcquireToken, so I need to post the below request for OAuth authentication

POST https://login.microsoftonline.com/b9bd2162xxx/oauth2/token HTTP/1.1

Content-Type: application/x-www-form-urlencoded

resource=https://tailspin.onmicrosoft.com/surveys.webapi

&client_id=87df91dc-63de-4765-8701-b59cc8bd9e11

&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer

&client_assertion=eyJhbGci...

&grant_type=authorization_code

So my question is, if I'm constructing the request, how can I get client_assertion string? is there any API\open source library to get this string using .pfx\X.509 certificate?

Quartas answered 26/7, 2017 at 20:40 Comment(0)
K
1

Based on the value of grant_type, you were using the Authorization Code Grant Flow. This flow is used to a interactive app. If this flow is you want to use, there is no need to provider the client_assertion and client_assertion_type.

You can refer the request below about this flow.

1.Request an authorization code:

https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&resource=https%3A%2F%2Fservice.contoso.com%2F
&state=12345

2.Use the authorization code to request an access token:

POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=2d4d11a2-f814-46a7-890a-274a72a7309e
&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrqqf_ZT_p5uEAEJJ_nZ3UmphWygRNy2C3jJ239gV_DBnZ2syeg95Ki-374WHUP-i3yIhv5i-7KU2CEoPXwURQp6IVYMw-DjAOzn7C3JCu5wpngXmbZKtJdWmiBzHpcO2aICJPu1KvJrDLDP20chJBXzVYJtkfjviLNNW7l7Y3ydcHDsBRKZc3GuMQanmcghXPyoDg41g8XbwPudVh7uCmUponBQpIhbuffFP_tbV8SNzsPoFz9CLpBCZagJVXeqWoYMPe2dSsPiLO9Alf_YIe5zpi-zY4C3aLw5g9at35eZTfNd0gBRpR5ojkMIcZZ6IgAA
&redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2F
&resource=https%3A%2F%2Fservice.contoso.com%2F
&client_secret=p@ssw0rd

//NOTE: client_secret only required for web apps

More detail about this flow, please refer the documet below:

Authorize access to web applications using OAuth 2.0 and Azure Active Directory

Update

string clientId = "";
string thumbprint = "";
X509Certificate2 cert = GetCertificate(thumbprint);
string resource = "";

string authority = "https://login.microsoftonline.com/{tenant}";
AuthenticationContext authContext = new AuthenticationContext(authority);
var resoult=  authContext.AcquireTokenAsync(resource, new ClientAssertionCertificate(clientId, cert)).Result;
Console.WriteLine(resoult.AccessToken);
Kennykeno answered 27/7, 2017 at 5:51 Comment(6)
My EWS application runs a service, there is no interaction with the end user. In this case how can I get client_assertion to post the below query POST login.microsoftonline.com/b9bd2162xxx/oauth2/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded resource=tailspin.onmicrosoft.com/surveys.webapi &client_id=87df91dc-63de-4765-8701-b59cc8bd9e11 &client_assertion=eyJhbGci... &grant_type=authorization_codeQuartas
If you want to acquire the token from a daemon service, you can use the Client Credential Flow. In this flow there are two ways, one is using the secret and the another is using the certificate credentials. More detail about this flow, please refer this link.Kennykeno
Yes, second case (Access token request with a certificate) is more appropriate in my case. But in this case, I need to provide client_assertion in POST /<tenant_id>/oauth2/token, so how can I get this encoded string (client_assertion)? do you have any C++ sample to get client_assertion?Quartas
I appended a code sample in the post via C# since not familiar with C++. But the progress should be same, that using the certificate sign-in the JWT token created by you to generate the client_assertion. More detail about this progress, you can refer this link.Kennykeno
Are there any ways of getting the signed client_assertion JWT without using the C# code or .Net libraries. For e.g. if I want to call the Azure AD token URL from postman, how can I get the signed client_assertion JWT ?Theron
@FeiXue-MSFT the answer was not accepted because it is not clear enough. Tell the steps 1 by 1. Is it possible to created signed jwt using web browser? Organizations are secure, and will have different security rules for code and web. So detailed answer helpsCommixture

© 2022 - 2024 — McMap. All rights reserved.