Share via

How to create a client_assertion

Missaghian, Nevenka 0 Reputation points
13 Jan 2025, 3:17 pm

Hi There,

I'm using MS Entra RESTAPI to authenticate and extract People information.

I have this working with a client secret. I need to now authenticate using a certificate. I need support on creating a client_assertion. I have reviewed

https://zcusa.951200.xyz/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate

https://zcusa.951200.xyz/en-us/entra/identity-platform/certificate-credentials
I still am not certain how to build my encoded JWT assertion.
Can I get the $base64Thumbprint from my certificate?

x5t#S256 - can this be found from my certificate file?

Using this to create my encoded JWT - https://jwt.io/

What should be in my Public Key and Private Key?

Thanks in advance.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,256 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sina Salam 15,241 Reputation points
    13 Jan 2025, 4:40 pm

    Hello Missaghian, Nevenka,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you would like to create a client_assertion and regarding your questions:

    Can I get the $base64Thumbprint from my certificate | x5t#S256 - can this be found from my certificate file?

    Yes! Base64 Thumbprint (x5t#S256) can be derived from your certificate. Use the following command to get the thumbprint and then base64 encode it. First, you need to extract the necessary details from your certificate like in example:

      openssl x509 -in your_certificate.pem -noout -fingerprint -sha256
    

    The output will be in the format SHA256 Fingerprint=XX:xx:.... Remove the colons and base64 encode the resulting string.

    What should be in my Public Key and Private Key?

    Your Public Key and Private Key should be extracted from your certificate file. Typically, the certificate file contains both the public and private keys.

      openssl pkcs12 -in your_certificate.pfx -nocerts -out private_key.pem
      openssl pkcs12 -in your_certificate.pfx -clcerts -nokeys -out public_key.pem
    

    To create the JWT Header, the JWT header should include the algorithm (alg) and the thumbprint (x5t#S256).

    {
      "alg": "RS256",
      "x5t#S256": "base64_encoded_thumbprint"
    }
    

    Then, create the JWT Payload which should include the following claims:

    • aud: The token endpoint URL.
    • exp: Expiration time (in seconds since epoch).
    • iss: The client ID.
    • sub: The client ID.
    • jti: A unique identifier for the token.

    This is an example payload:

    {
      "aud": "https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token",
      "exp": 1618884477,
      "iss": "your_client_id",
      "sub": "your_client_id",
      "jti": "unique_identifier"
    }
    

    The next is to encode and Sign the JWT by using a tool like jwt.io to encode and sign the JWT. You will need to provide the header, payload, and your private key.

    Finally, use the client_assertion in token request to the MS Entra REST API.

    POST /{tenant}/oauth2/v2.0/token HTTP/1.1
    Host: login.microsoftonline.com
    Content-Type: application/x-www-form-urlencoded
    client_id=your_client_id
    &scope=https://graph.microsoft.com/.default
    &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
    &client_assertion=your_encoded_jwt
    &grant_type=client_credentials
    
    

    This should help you create and use a client_assertion for authenticating with the MS Entra REST API using a certificate. You can read more information about the steps in these references:

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.


    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.