How to generate JWT token for client_assertion?

Question

We have an app registration which is connected to an external API. We have to use this API in our Azure Data factory. For this purpose, till now we were generating client secrets and generating tokens (in Azure Data Factory) from this URL - login.microsoftonline.com/{tenant}/oauth2/v2.0/token. Now to eliminate the use of secrets, we have created a managed identity and linked to our App registration using federated credentials. Now we have to generate tokens using this user assigned managed identity. However, in the data factory when we are trying to generate the tokens using the Method "POST", the body requires us to add grant_type even on using User Assigned Managed identity for authentication. This requires us to add a client_assertion in the body as well but we are not sure how to proceed with that? Thank you for the help.

The URL is login.microsoftonline.com/{tenant}/oauth2/v2.0/token

The credentials are those of the UAMI that has been created.

Also, if there is any other value of grant_type that can eliminate the need for client credentials then also it would be helpful. (As the authentication is being done through a managed identity directly so ideally a token should not be required for the same).

Answer 1

Hi @DevanshAgarwal-0149

Thanks for the question and using MS Q&A platform.

To authenticate using a User-Assigned Managed Identity (UAMI) in Azure Data Factory (ADF) with an external API without using client secrets, you will indeed need to generate a client assertion. This involves creating a JWT (JSON Web Token) signed with the private key of the managed identity certificate.

In order to generate a token using a user-assigned managed identity in Azure Data Factory (ADF) pipeline. Here’s a step-by-step guide on how to generate a client assertion and use it to obtain an access token in ADF:

Create a user-assigned managed identity: Create a user-assigned managed identity in Azure and link it to your App registration.

Create a certificate for the managed identity: Generate a certificate for the managed identity and upload it to Azure.

Configure the ADF pipeline: In the ADF pipeline, create a new Web activity and configure it to send a POST request to the token endpoint. The request includes the client_id, client_assertion_type, client_assertion, assertion, requested_token_use, and scope.

Generate the client assertion: In the ADF pipeline, create a new Set variable activity to generate the clientAssertion variable. This script generates a JSON Web Token (JWT) using the managed identity’s certificate and private key. The JWT is then used as the client_assertion in the token request.

Send the token request: Run the ADF pipeline, and the Web activity sends the token request to the token endpoint. The response contains an access token, which you can use to authenticate with the external API.

Since the above approach is how to authenticate with an external API using a user-assigned managed identity in an ADF pipeline. It’s important to handle errors and exceptions properly in your ADF pipeline and you may need to modify the script to fit your specific requirements.

I hope this helps, please do let us know if you any further queries.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.