{"id":3189,"date":"2015-02-06T10:29:56","date_gmt":"2015-02-06T18:29:56","guid":{"rendered":"http:\/\/www.cloudidentity.com\/blog\/?p=3189"},"modified":"2015-02-06T10:29:56","modified_gmt":"2015-02-06T18:29:56","slug":"requesting-an-aad-token-with-a-certificate-without-adal","status":"publish","type":"post","link":"https:\/\/www.cloudidentity.com\/blog\/2015\/02\/06\/requesting-an-aad-token-with-a-certificate-without-adal\/","title":{"rendered":"Requesting an AAD Token with a Certificate – without ADAL"},"content":{"rendered":"

I am sure you have seen the exciting news about daemon apps & O365<\/a> that Alex shared a couple of days ago.<\/p>\n

That post reinvigorated interest in the token request flow based on certificates. We have a complete end to end sample<\/a> giving you step by step guidance on how to implement that flow with ADAL .NET, but we don\u2019t yet have detailed protocol documentation for it.
We will get to it, but in the meanwhile: if you need to reproduce the same flow in a different platform, a good trick is to run the e2e sample and observe a trace of the traffic it generates. To give you a headstart, here there\u2019s a breakdown of the token request it generates \u2013 mildy formatted for your screens:<\/p>\n

POST <\/font>https:\/\/login.windows.net\/contoso.onmicrosoft.com\/oauth2\/token<\/font><\/a> HTTP\/1.1
Content-Type: application\/x-www-form-urlencoded
client-request-id: a2ef0cd8-60e5-4620-ac66-6f2a344e075b
return-client-request-id: true<\/p>\n

Host: login.windows.net
Content-Length: 986
Expect: 100-continue
Connection: Keep-Alive<\/font><\/p>\n

resource=https%3A%2F%2Fcontoso.onmicrosoft.com%2FTodoListService
&client_id=82692da5-a86f-45c9-9d53-2f88d51b478b
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOi[\u2026a lot of stuff\u2026]-j5UBo1A
&grant_type=client_credentials<\/font><\/p>\n

The main things to notice here:<\/p>\n

1) it\u2019s a POST to the token endpoint<\/p>\n

2) it is a client_credentials grant, as expected<\/p>\n

3) you need to specify as client_assertion_type the magic value urn:ietf:params:oauth:client-assertion-type:jwt-bearer<\/font><\/p>\n

The other thing of interest is in the client_assertion itself, which is the artifact in which the certificate actually comes into play: it\u2019s an assertion you need to create and sign with the certificate you registered as credential for your application. ADAL does this for you, ut if you want to work directly at the protocol level you\u2019ll have to do it yourself. Here there\u2019s how the JWT of the assertion looks like, as decoded by Google\u2019s JWT decoder<\/a>.<\/p>\n

\"image\"<\/a><\/p>\n

Things to notice:<\/p>\n

1) As this is signed with a certificate, the algorithm is RS256<\/p>\n

2) subject and issuer are the same \u2013 the identifier of the client! \"Smile\"<\/p>\n

3) the assertion is scoped to the token endpoint, its intended destination<\/p>\n

 <\/p>\n

That\u2019s it! It should be really straightforward for you to use any JWT library on your favorite platform to produce the above. Have fun! \"Smile\"<\/p>\n","protected":false},"excerpt":{"rendered":"

I am sure you have seen the exciting news about daemon apps & O365 that Alex shared a couple of days ago. That post reinvigorated interest in the token request flow based on certificates. We have a complete end to end sample giving you step by step guidance on how to implement that…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3189","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/3189","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/comments?post=3189"}],"version-history":[{"count":1,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/3189\/revisions"}],"predecessor-version":[{"id":3190,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/3189\/revisions\/3190"}],"wp:attachment":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/media?parent=3189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/categories?post=3189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/tags?post=3189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}