How to get Access Token using Certificate Based Authentication using Postman with Azure AD App registration?

Question

How to get Access Token using Certificate Based Authentication using Postman with Azure AD App registration?

Answer 1

Hello @Sultan Sikandar,

I understand that you need assistance in getting access token using Certificate Based Authentication using Postman with Microsoft Entra ID App Registration application.

Please note that to get an Access Token using Certificate Based Authentication using Postman with Microsoft Entra ID App Registration application, please follow these below mentioned steps:

1.Create an App registration application in Microsoft Entra ID by following the steps as mentioned in the below document.

Quickstart: Register an app in Microsoft Entra ID - Microsoft identity platform | Microsoft Learn

2.Generate a self-signed certificate and upload it to the Microsoft Entra ID App registration application. Below are the steps to generate a self-signed certificate using OpenSSL.

• Generate your private key with genrsa. openssl genrsa -out certificateprivate.key 2048
• Run the following command to generate a certificate signing request (CSR). You will be prompted to enter some information, such as your country, state, city, organization, and common name. openssl req -new -key certificateprivate.key -out certificate.csr
• Run the following command to generate a self-signed certificate: openssl x509 -req -days 365 -in certificate.csr -signkey certificateprivate.key -out accesstokenwithcertificate.crt
• Use below command to retrieve public key in PEM format from private key. openssl rsa -in certificateprivate.key -pubout -out certificatepublickey.pem
• Upload your public certificate into the application configuration page under 'Certificates and Secrets' tab and copy your certificate thumbprint.
• Please refer to the below Screenshot for your reference.
• You can create a self-signed public certificate using PowerShell by following the steps as mentioned in the below document.
• Create a self-signed public certificate to authenticate your application - Microsoft identity platform | Microsoft Learn

3.Use www.jwt.io to get Client_assertion

• Select RS256 algorithm.

Edit the Header, Payload, and Verify Signature fields to modify token as below.

HEADER:

{

"alg": "RS256",

"typ": "JWT",

"x5t":"<Base64 Thumbprint"

}

PAYLOAD:DATA

{

"aud": "https://login.microsoftonline.com/{tenantid/tenantname}/oauth2/v2.0/token",

"exp": 1699254916(expiration time),

"iss": "<application client_id>",

"jti": "<random unique identifier>",

"nbf": 1699254916,

"sub": "<application client_id>"

}

Verify Signature

{

public key to a PEM format

Private key to a PEM format

}

You can see the encoded token on the left side of the page. Use encoded token as client-assertion

4.To get an access token using Postman, create a new request and set the following parameters:

• HTTP Method: POST
• URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
• Headers:Content-Type: application/x-www-form-urlencoded
• Body: grant_type=client_credentials client_id={client_id} Scope={applictionid/.default} client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer client_assertion={client_assertion}

Send the request and you should receive an Access Token in the response.

Please refer to the below documents which will be helpful.

Microsoft identity platform certificate credentials - Microsoft identity platform | Microsoft Learn

OAuth 2.0 client credentials flow on the Microsoft identity platform - Microsoft identity platform | Microsoft Learn

I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".