How to get OAuth 2.0 access token with a certificate on the Microsoft identity platform?

if you are familiar with OAuth 2.0, you should know how to make the request to the token endpoint with client id, client secret, scope and grant type.

Azure Active Directory (Azure AD) supports two types of authentication for service principals: password-based authentication (app secret) and certificate-based authentication. While app secrets can easily be created in the Azure portal or using a Microsoft API like Microsoft Graph, they're long-lived, and not as secure as certificates. It's therefore recommended that your application uses a certificate rather than a secret.

to be more secure, you might want to try with certificate-based authentication. According to this Microsoft Learn guide, the key part is to compute a client assertion from your ceritficate file. In another Microsoft Learn link, MSAL.NET has four methods to provide either credentials or assertions to the confidential client app. But how can you do the same compute in your Spring Boot java backend application as a OAuth 2.0 client?

use Spring Boot Starter for Azure Active Directory?

yup, Spring Boot Starter for Azure AD is a good fit for your java backend application if your app uses servelet. but you can't able to use if you used Reactive Spring WebFlux framework. Since spring-cloud-azure-starter-active-directory not support Reactive yet.

Spring Boot Starter for Azure Active Directory developer’s guide

This guide describes the features, issues, workarounds, and diagnostic steps to be aware of when you use the Azure Active Directory starter.

Microsoft LearnKarlErickson

AadJwtEncoder.java

it is easy to make the request that post application/x-www-form-urlencoded body with required query to the access token endpoint according to OAuth 2.0 spec. You can do it in declarative way using a WebClient.

As you see, there is An assertion (a JSON web token) that you need to create and sign with the certificate you registered as credentials for your application. Though we can't use spring-cloud-azure-starter-active-directory in our Reactive Spring Boot app. but we still be able to use or refer to this AadJwtEncode::encode implementation and see how we can compute the client_assertion with the private key from your certificate.

How spring-cloud-azure-starter-active-directory compute client_assertion?

An assertion (a JSON web token) that you need to create and sign with the certificate you registered as credentials for your application. Read about certificate credentials to learn how to register your certificate and the format of the assertion.

azure-sdk-for-java/AadJwtClientAuthenticationParametersConverter.java at main · Azure/azure-sdk-for-java

This repository is for active development of the Azure SDK for Java. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/java/azure/ or our versio...

GitHubAzure

References

OAuth 2.0 client credentials flow on the Microsoft identity platform - Microsoft Entra

Build web applications by using the Microsoft identity platform implementation of the OAuth 2.0 authentication protocol.

Microsoft LearnOwenRichards1

Microsoft identity platform certificate credentials - Microsoft Entra

This article discusses the registration and use of certificate credentials for application authentication.

Microsoft LearnOwenRichards1

Create a self-signed public certificate to authenticate your application - Microsoft Entra

Create a self-signed public certificate to authenticate your application.

Microsoft Learnhenrymbuguakiarie