if you are familiar with OAuth 2.0, you should know how to make the request to the token endpoint with client id, client secret, scope and grant type.
Azure Active Directory (Azure AD) supports two types of authentication for service principals: password-based authentication (app secret) and certificate-based authentication. While app secrets can easily be created in the Azure portal or using a Microsoft API like Microsoft Graph, they're long-lived, and not as secure as certificates. It's therefore recommended that your application uses a certificate rather than a secret.
to be more secure, you might want to try with certificate-based authentication. According to this Microsoft Learn guide, the key part is to compute a client assertion from your ceritficate file. In another Microsoft Learn link, MSAL.NET has four methods to provide either credentials or assertions to the confidential client app. But how can you do the same compute in your Spring Boot java backend application as a OAuth 2.0 client?
use Spring Boot Starter for Azure Active Directory?
yup, Spring Boot Starter for Azure AD is a good fit for your java backend application if your app uses servelet. but you can't able to use if you used Reactive Spring WebFlux framework. Since spring-cloud-azure-starter-active-directory not support Reactive yet.
it is easy to make the request that post application/x-www-form-urlencoded body with required query to the access token endpoint according to OAuth 2.0 spec. You can do it in declarative way using a WebClient.
As you see, there is An assertion (a JSON web token) that you need to create and sign with the certificate you registered as credentials for your application. Though we can't use spring-cloud-azure-starter-active-directory in our Reactive Spring Boot app. but we still be able to use or refer to this AadJwtEncode::encode implementation and see how we can compute the client_assertion with the private key from your certificate.
How spring-cloud-azure-starter-active-directory compute client_assertion?
An assertion (a JSON web token) that you need to create and sign with the certificate you registered as credentials for your application. Read about certificate credentials to learn how to register your certificate and the format of the assertion.