Hello Missaghian, Nevenka,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
I understand that you would like to create a client_assertion and regarding your questions:
Can I get the $base64Thumbprint from my certificate | x5t#S256 - can this be found from my certificate file?
Yes! Base64 Thumbprint (x5t#S256
) can be derived from your certificate. Use the following command to get the thumbprint and then base64 encode it. First, you need to extract the necessary details from your certificate like in example:
openssl x509 -in your_certificate.pem -noout -fingerprint -sha256
The output will be in the format SHA256 Fingerprint=XX:xx:...
. Remove the colons and base64 encode the resulting string.
What should be in my Public Key and Private Key?
Your Public Key and Private Key should be extracted from your certificate file. Typically, the certificate file contains both the public and private keys.
openssl pkcs12 -in your_certificate.pfx -nocerts -out private_key.pem
openssl pkcs12 -in your_certificate.pfx -clcerts -nokeys -out public_key.pem
To create the JWT Header, the JWT header should include the algorithm (alg
) and the thumbprint (x5t#S256
).
{
"alg": "RS256",
"x5t#S256": "base64_encoded_thumbprint"
}
Then, create the JWT Payload which should include the following claims:
-
aud
: The token endpoint URL. -
exp
: Expiration time (in seconds since epoch). -
iss
: The client ID. -
sub
: The client ID. -
jti
: A unique identifier for the token.
This is an example payload:
{
"aud": "https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token",
"exp": 1618884477,
"iss": "your_client_id",
"sub": "your_client_id",
"jti": "unique_identifier"
}
The next is to encode and Sign the JWT by using a tool like jwt.io to encode and sign the JWT. You will need to provide the header, payload, and your private key.
Finally, use the client_assertion
in token request to the MS Entra REST API.
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=your_client_id
&scope=https://graph.microsoft.com/.default
&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
&client_assertion=your_encoded_jwt
&grant_type=client_credentials
This should help you create and use a client_assertion
for authenticating with the MS Entra REST API using a certificate. You can read more information about the steps in these references:
- https://zcusa.951200.xyz/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow
- https://zcusa.951200.xyz/en-us/azure/active-directory-b2c/client-credentials-grant-flow
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.