Hello, to authenticate against an Azure AD app using a certificate you need an X.509 cert that:
- Has 2048-bit or longer keys. 2048-bit size is highly recommended for the best combination of security and performance.
- Uses the RSA cryptographic algorithm. Azure AD currently supports only RSA.
- Is signed with the SHA256 hash algorithm. Azure AD also supports certificates signed with SHA384 and SHA512 hash algorithms.
You will have to reach GoDaddy to see if they can issue certificates that follow the aforementioned requirements.
And yes, you will need to pass the certificate thumbprint. Keep in mind this can be used when requesting an access token alone or in tandem with an id token (hybrid flow):
appsettings.json
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "alfredorevillaatmsft.com",
"TenantId": "22a84c88-253a-4025-a5c4-e0dc365b8d17",
"ClientId": "efd38bbf-562c-4cc7-ba4d-2191b3931c95",
"CallbackPath": "/signin-oidc"
},
"DownstreamApi": {
"Scopes": "user.read"
}
}
Program.cs
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.UI;
var builder = WebApplication.CreateBuilder(args);
var initialScopes = builder.Configuration["DownstreamApi:Scopes"]?.Split(' ');
// Add services to the container.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
.AddInMemoryTokenCaches();
And how to acquire an access token:
[AuthorizeForScopes(Scopes = new[] { "user.read" })]
public async Task<IActionResult> Profile()
{
// Acquire the access token.
string[] scopes = new string[]{"user.read"};
string accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);
// Use the access token to call a protected web API.
// ...
}
For more information take a look to Scenario: A web app that authenticates users and calls web APIs. For a hybrid flow sample take a look at this sample.
Let us know if you need additional assistance. If the answer was helpful, please accept it so that others can find a solution.