How to get Access Token using Certificate Based Authentication using postman with Azure AD App registration? I followed the MSFT documentation it says to use 'Client_Credentials' and instead of client secret use the Client_Assertion_Type and Client_Assertion. But i could not get any success. Any direction can any one point is highly appreciated. Below is the link from MSFT that i am following. https://learn.microsoft.com/en-us/azure/active-directory/develop/certificate-credentials https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate

Hi @Ayinapurapu, Vinaydeep , thanks for reaching us. I understand that you are asking on how to get an Access Token using Certificate Based Authentication using Postman with Azure AD App registration. To get an Access Token using Certificate Based Authentication using Postman with Azure AD App registration, you can follow these steps: 1.Create an Azure AD App registration in Microsoft entra id 2.Generate a self-signed certificate and upload it to the Azure AD app registration. Below are the steps to generate a self-signed certificate using OpenSSL. Generate your private key with genrsa. openssl genrsa -out certificateprivate.key 2048 Run the following command to generate a certificate signing request (CSR). You will be prompted to enter some information, such as your country, state, city, organization, and common name. openssl req -new -key certificateprivate.key -out certificate.csr Run the following command to generate a self-signed certificate: openssl x509 -req -days 365 -in certificate.csr -signkey certificateprivate.key -out accesstokenwithcertificate.crt use below command to retrieve public key in PEM format from private key. openssl rsa -in certificateprivate.key -pubout -out certificatepublickey.pem Upload your public certificate into the application configuration under 'certificates and secrets'. and copy your certificate thumbprint. You can Create a self-signed public certificate using PowerShell. reference 3.Use www.jwt.io to get Client_assertion Select RS256 algorithm. Edit the header, payload, or verify signature fields to modify token as below. HEADER: { "alg": "RS256", "typ": "JWT", "x5t":"<Base64 Thumbprint" } PAYLOAD:DATA { "aud": "https://login.microsoftonline.com/{tenantid/tenantname}/oauth2/v2.0/token", "exp": 1699254916(expiration time), "iss": "<application client_id>", "jti": "<random unique identifier>", "nbf": 1699254916, "sub": "<application client_id>" } Verify Signature { public key to a PEM format Private key to a PEM format } You can see encoded token on the left side. Use encoded token as client-assertion 4.To get access token using postman, create a new request and set the following parameters: HTTP Method: POST URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token Headers:Content-Type: application/x-www-form-urlencoded Body: grant_type=client_credentials client_id={client_id} Scope={applictionid/.default} client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer client_assertion={client_assertion} Send the request and you should receive an Access Token in the response. Hope this helps. Do let us know if you any further queries. Thanks, Navya. Please " Accept the answer " if the information helped you. This will help us and others in the community as well.

How to get Access Token using Certificate Based Authentication using postman with Azure AD App registration?

Accepted answer

Navya 4,470 Reputation points Microsoft Vendor

2023-10-13T11:14:58.7933333+00:00
Hi @Ayinapurapu, Vinaydeep , thanks for reaching us.

I understand that you are asking on how to get an Access Token using Certificate Based Authentication using Postman with Azure AD App registration.

To get an Access Token using Certificate Based Authentication using Postman with Azure AD App registration, you can follow these steps:

1.Create an Azure AD App registration in Microsoft entra id

2.Generate a self-signed certificate and upload it to the Azure AD app registration. Below are the steps to generate a self-signed certificate using OpenSSL.

Generate your private key with genrsa. openssl genrsa -out certificateprivate.key 2048

Run the following command to generate a certificate signing request (CSR). You will be prompted to enter some information, such as your country, state, city, organization, and common name. openssl req -new -key certificateprivate.key -out certificate.csr

Run the following command to generate a self-signed certificate: openssl x509 -req -days 365 -in certificate.csr -signkey certificateprivate.key -out accesstokenwithcertificate.crt

use below command to retrieve public key in PEM format from private key. openssl rsa -in certificateprivate.key -pubout -out certificatepublickey.pem

Upload your public certificate into the application configuration under 'certificates and secrets'. and copy your certificate thumbprint. You can Create a self-signed public certificate using PowerShell. reference

3.Use www.jwt.io to get Client_assertion

Select RS256 algorithm.

Edit the header, payload, or verify signature fields to modify token as below.

HEADER: { "alg": "RS256", "typ": "JWT", "x5t":"<Base64 Thumbprint" } PAYLOAD:DATA { "aud": "https://login.microsoftonline.com/{tenantid/tenantname}/oauth2/v2.0/token", "exp": 1699254916(expiration time), "iss": "<application client_id>", "jti": "<random unique identifier>", "nbf": 1699254916, "sub": "<application client_id>" } Verify Signature { public key to a PEM format Private key to a PEM format }

You can see encoded token on the left side. Use encoded token as client-assertion

4.To get access token using postman, create a new request and set the following parameters:

HTTP Method: POST

URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

Headers:Content-Type: application/x-www-form-urlencoded

Body: grant_type=client_credentials client_id={client_id} Scope={applictionid/.default} client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer client_assertion={client_assertion}

Send the request and you should receive an Access Token in the response.

Hope this helps. Do let us know if you any further queries.

Thanks, Navya.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.

2 people found this answer helpful.
Gupta, Pulsar (SMO IT HUB PL1 DEVOPS 1) 20 Reputation points

2024-01-02T14:28:30.7466667+00:00

I have followed all the steps but getting error.

Please advise

"

The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client

"

Ayinapurapu, Vinaydeep 20 Reputation points

2024-01-03T05:02:38.4833333+00:00

Sorry for delay. I have tried the above steps. I am not able to get the client assertion. I have the .pfx file generated and have entered the public key and private key information and is giving invalid signature. Could you please let me know what information i have to enter in "Verify signature' section?

vinay ayinapurapu 0 Reputation points

2024-01-03T15:26:40.7166667+00:00

@Navya,

I am able to proceed a little further from your references. Now i am getting a different error, which says the following. Could you please help where i could be wrong?

{ "error": "invalid_client", "error_description": "AADSTS700023: Client assertion audience claim does not match Realm issuer. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials . Trace ID: 51172305-7aac-4bcb-84cc-663c8dd51500 Correlation ID: a86f9bbd-f389-446e-a8e4-4f3658c6e783 Timestamp: 2024-01-03 15:24:38Z", "error_codes": [ 700023 ], "timestamp": "2024-01-03 15:24:38Z", "trace_id": "51172305-7aac-4bcb-84cc-663c8dd51500", "correlation_id": "a86f9bbd-f389-446e-a8e4-4f3658c6e783" }

Navya 4,470 Reputation points Microsoft Vendor

2024-01-04T07:07:08.7+00:00

Hi vinay ayinapurapu,

Can you verify if your encoded token (Client-Assertion) meets the requirements for a valid signature? and ensure that the scope is passed as api://applicationid/.default when obtaining the access token.

Gupta, Pulsar (SMO IT HUB PL1 DEVOPS 1) 20 Reputation points

2024-01-04T07:15:43.5166667+00:00

Hi Navya,

Issue got resolved from my end. the x5t was not encoded correctly and I had to do it using code.

Thanks.

Navya 4,470 Reputation points Microsoft Vendor

2024-01-04T07:20:08.77+00:00

Hi Gupta, Pulsar (SMO IT HUB PL1 DEVOPS 1)

Glad to know that your issue has been resolved.

vinay ayinapurapu 0 Reputation points

2024-01-05T05:57:56.4333333+00:00

@Gupta, Pulsar (SMO IT HUB PL1 DEVOPS 1),

Could you please let me know how did you sort the issue? I am getting stuck at same point where you are.

"AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client: 'D7DD85DF6135040E3913DE45E39DF407AE3713B08117617A002D3BEC113C', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'bc1e195a-8e12-4970-8505-a55df221a45a'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/bc1e195a-8e12-4970-8505-a55df221a45a']. Trace ID: dbe99d40-b0be-422f-a3a2-ea8341766900 Correlation ID: 93264c42-4692-4127-ac33-918caea33194 Timestamp: 2024-01-05 05:44:28Z",

Gupta, Pulsar (SMO IT HUB PL1 DEVOPS 1) 20 Reputation points

2024-01-05T06:20:14.45+00:00

I followed the steps to create the self signed certificates, once done I uploaded public certificate on AzureID next step was to create Client-Assertion.

On jwt.io I selected RS256 algo, then changed the payload data with the appropriate data. on the signature section; I copied the public and private key. Make sure the signature is valid.

to create x5t, I had to use python code because using online base64 tools the encoding was not correct. x5t is SHA1

here is the code; but first take the thumbprint of ur certificate from AzureID

import binascii

import base64

thumbprint_hex = '#thumbprint##'

thumbprint_binary = binascii.unhexlify(thumbprint_hex)

x5t_compliant = base64.b64encode(thumbprint_binary).decode('utf-8')

print(x5t_compliant)

use the value of x5t_compliant in your jwt.

Ayinapurapu, Vinaydeep 20 Reputation points

2024-01-05T23:49:53.65+00:00

Thank you so much. Unfortunately, i could not find the same script using PowerShell. However, i could use your python script to get the x5t complaint one. I was under impression that the Azure AD certificate thumbprint works which isn't the case. Appreciate your hel.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Vinaydeep Ayinapurapu 0 Reputation points

2024-01-11T15:15:56.0533333+00:00

@Gupta, Pulsar (SMO IT HUB PL1 DEVOPS 1), Just want to share one more way to get base 64 encoded thumbprint, Below are the steps i have followed to get base 64 encoded thumbprint using openssl. Step 1: Store all elements of chain of trust, using pkcs12 format and save as file .pem. Below is the command that needs to be run to extract the chain of trust from existing .pfx certificate. openssl pkcs12 -in ./CBATestApp.pfx -out CBATestApp.pem It will ask for password / passphrase that is used to to generate the root certificate from CSR (Certificate Sign Request). Step 2: Once successful enter of passphrase, it will get the certificate in .pem format. Run the below command to get the certificate fingerprint / thumprint. It will be in SHA1 binary format. openssl x509 -in ./CBATestApp.pem -noout -fingerprint Step 3: SHA1 format is not supported in any of the certificate signing standards. We have to get the base 64 encoded thumbprint. For this we need to use sed. sed is linux based package, which lets you to search encode and delete the lines that matches a pattern without using a text editor. At the backend it uses regex. After you get the encoded value from SHA1 it is required to get hexadecimal dump which is supported by POSTMAN. For that we need to use openssl xxd. XXD is a command line tool that is used to get hexadecimal dump from binary format or vice-versa. Below is the command to get the final base64 encoded thumbprint. echo $(openssl x509 -in ./CBATestApp.pem -fingerprint -noout) | sed ‘s/SHA1 Fingerprint=//g’ | sed ‘s/://g’ | xxd -r -ps | base64
References: https://www.tutorialspoint.com/unix_commands/xxd.htm https://arsenvlad.medium.com/certificate-based-auth-with-azure-service-principals-from-linux-command-line-a440c4599cae

Aaron Gregory 0 Reputation points

2024-01-31T22:42:22.3733333+00:00

I ran into an issue while trying to get the correct thumbprint, it never could find my certificate and kept giving me an error until i used this command to create it. echo $(openssl x509 -in accesstokenwithcertificate.crt -fingerprint -noout) | sed 's/SHA1 Fingerprint=//g' | sed 's/://g' | xxd -r -ps | base64

Ayinapurapu, Vinaydeep 20 Reputation points

2024-02-01T02:24:53.32+00:00

Glad it worked out. :)
Sign in to comment

Share via

How to get Access Token using Certificate Based Authentication using postman with Azure AD App registration?

0 additional answers