How to get Access Token using Certificate Based Authentication using postman with Azure AD App registration?

Ayinapurapu, Vinaydeep 20 Reputation points
2023-10-11T15:02:47.4+00:00

How to get Access Token using Certificate Based Authentication using postman with Azure AD App registration? I followed the MSFT documentation it says to use 'Client_Credentials' and instead of client secret use the Client_Assertion_Type and Client_Assertion. But i could not get any success. Any direction can any one point is highly appreciated. Below is the link from MSFT that i am following.

https://learn.microsoft.com/en-us/azure/active-directory/develop/certificate-credentials

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate

Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
993 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,806 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,813 questions
{count} votes

Accepted answer
  1. Navya 4,620 Reputation points Microsoft Vendor
    2023-10-13T11:14:58.7933333+00:00

    Hi @Ayinapurapu, Vinaydeep , thanks for reaching us.

    I understand that you are asking on how to get an Access Token using Certificate Based Authentication using Postman with Azure AD App registration.

    To get an Access Token using Certificate Based Authentication using Postman with Azure AD App registration, you can follow these steps:

    1.Create an Azure AD App registration in Microsoft entra id

    2.Generate a self-signed certificate and upload it to the Azure AD app registration. Below are the steps to generate a self-signed certificate using OpenSSL.

    • Generate your private key with genrsa. openssl genrsa -out certificateprivate.key 2048
    • Run the following command to generate a certificate signing request (CSR). You will be prompted to enter some information, such as your country, state, city, organization, and common name. openssl req -new -key certificateprivate.key -out certificate.csr
    • Run the following command to generate a self-signed certificate: openssl x509 -req -days 365 -in certificate.csr -signkey certificateprivate.key -out accesstokenwithcertificate.crt
    • use below command to retrieve public key in PEM format from private key. openssl rsa -in certificateprivate.key -pubout -out certificatepublickey.pem
    • Upload your public certificate into the application configuration under 'certificates and secrets'. and copy your certificate thumbprint. You can Create a self-signed public certificate using PowerShell. reference

    3.Use www.jwt.io to get Client_assertion

    • Select RS256 algorithm.

    Edit the header, payload, or verify signature fields to modify token as below.

    HEADER:
    {
      "alg": "RS256",
      "typ": "JWT",
      "x5t":"<Base64 Thumbprint"
    }
    PAYLOAD:DATA
    {
      "aud": "https://login.microsoftonline.com/{tenantid/tenantname}/oauth2/v2.0/token",
      "exp": 1699254916(expiration time),
      "iss": "<application client_id>",
      "jti": "<random unique identifier>",
      "nbf": 1699254916,
      "sub": "<application client_id>"
    }
    Verify Signature
    { 
     public key to a PEM format
     Private key to a PEM format
    }
    

    You can see encoded token on the left side. Use encoded token as client-assertion

    4.To get access token using postman, create a new request and set the following parameters:

    • HTTP Method: POST
    • URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
    • Headers:Content-Type: application/x-www-form-urlencoded
    • Body: grant_type=client_credentials client_id={client_id} Scope={applictionid/.default} client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer client_assertion={client_assertion}

    Send the request and you should receive an Access Token in the response.

    Hope this helps. Do let us know if you any further queries.

    Thanks, Navya.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful