Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
This feature is available from MSAL 4.3.2 onward
Microsoft Entra ID is capable of issuing SSH certificates instead of bearer tokens. These are not the same as SSH public keys. Currently this is available as an extension method on AcquireTokenSilent and AcquireTokenInteractive.
var result = await pca
.AcquireTokenSilent(s_scopes, account)
.WithSSHCertificateAuthenticationScheme(jwk, "keyID1")
.ExecuteAsync();
Paramters:
jwk- The public SSH key in JWK format as described at https://tools.ietf.org/html/rfc7517 . Currently only RSA with a minimum key size of 2048 bytes is supported.keyID- Any string that distinguishes between keys (usually hash of the key, but format is not important)
Example creating a JWK
private string CreateJwk()
{
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(2048);
RSAParameters rsaKeyInfo = rsa.ExportParameters(false);
// Algorithm behind Base64UrlHelpers.Encode is described here https://www.rfc-editor.org/rfc/rfc7515.html#appendix-C
string modulus = Base64UrlHelpers.Encode(rsaKeyInfo.Modulus);
string exp = Base64UrlHelpers.Encode(rsaKeyInfo.Exponent);
string jwk = $"{{\"kty\":\"RSA\", \"n\":\"{modulus}\", \"e\":\"{exp}\"}}";
return jwk;
}