9

I've written EWS application in C++. Currently it supports Basic and NTLM authentication, now trying to support OAuth authentication

Since it is C++ application I can't use .NET AcquireToken, so I need to post the below request for OAuth authentication

POST https://login.microsoftonline.com/b9bd2162xxx/oauth2/token HTTP/1.1

Content-Type: application/x-www-form-urlencoded

resource=https://tailspin.onmicrosoft.com/surveys.webapi

&client_id=87df91dc-63de-4765-8701-b59cc8bd9e11

&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer

&client_assertion=eyJhbGci...

&grant_type=authorization_code

So my question is, if I'm constructing the request, how can I get client_assertion string? is there any API\open source library to get this string using .pfx\X.509 certificate?

Vinod
  • 91
  • 1
  • 1
  • 2

1 Answers1

0

Based on the value of grant_type, you were using the Authorization Code Grant Flow. This flow is used to a interactive app. If this flow is you want to use, there is no need to provider the client_assertion and client_assertion_type.

You can refer the request below about this flow.

1.Request an authorization code:

https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&resource=https%3A%2F%2Fservice.contoso.com%2F
&state=12345

2.Use the authorization code to request an access token:

POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=2d4d11a2-f814-46a7-890a-274a72a7309e
&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrqqf_ZT_p5uEAEJJ_nZ3UmphWygRNy2C3jJ239gV_DBnZ2syeg95Ki-374WHUP-i3yIhv5i-7KU2CEoPXwURQp6IVYMw-DjAOzn7C3JCu5wpngXmbZKtJdWmiBzHpcO2aICJPu1KvJrDLDP20chJBXzVYJtkfjviLNNW7l7Y3ydcHDsBRKZc3GuMQanmcghXPyoDg41g8XbwPudVh7uCmUponBQpIhbuffFP_tbV8SNzsPoFz9CLpBCZagJVXeqWoYMPe2dSsPiLO9Alf_YIe5zpi-zY4C3aLw5g9at35eZTfNd0gBRpR5ojkMIcZZ6IgAA
&redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2F
&resource=https%3A%2F%2Fservice.contoso.com%2F
&client_secret=p@ssw0rd

//NOTE: client_secret only required for web apps

More detail about this flow, please refer the documet below:

Authorize access to web applications using OAuth 2.0 and Azure Active Directory

Update

string clientId = "";
string thumbprint = "";
X509Certificate2 cert = GetCertificate(thumbprint);
string resource = "";

string authority = "https://login.microsoftonline.com/{tenant}";
AuthenticationContext authContext = new AuthenticationContext(authority);
var resoult=  authContext.AcquireTokenAsync(resource, new ClientAssertionCertificate(clientId, cert)).Result;
Console.WriteLine(resoult.AccessToken);
Fei Xue
  • 14,369
  • 1
  • 19
  • 27
  • 1
    My EWS application runs a service, there is no interaction with the end user. In this case how can I get client_assertion to post the below query POST https://login.microsoftonline.com/b9bd2162xxx/oauth2/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded resource=https://tailspin.onmicrosoft.com/surveys.webapi &client_id=87df91dc-63de-4765-8701-b59cc8bd9e11 &client_assertion=eyJhbGci... &grant_type=authorization_code – Vinod Jul 27 '17 at 16:36
  • If you want to acquire the token from a daemon service, you can use the **Client Credential Flow**. In this flow there are two ways, one is using the secret and the another is using the certificate credentials. More detail about this flow, please refer [this link](https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service). – Fei Xue Jul 28 '17 at 05:54
  • Yes, second case (Access token request with a certificate) is more appropriate in my case. But in this case, I need to provide client_assertion in POST //oauth2/token, so how can I get this encoded string (client_assertion)? do you have any C++ sample to get client_assertion? – Vinod Aug 01 '17 at 18:37
  • 1
    I appended a code sample in the post via C# since not familiar with C++. But the progress should be same, that using the certificate sign-in the JWT token created by you to generate the client_assertion. More detail about this progress, you can refer [this link](https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials). – Fei Xue Aug 02 '17 at 02:48
  • 1
    Are there any ways of getting the signed client_assertion JWT without using the C# code or .Net libraries. For e.g. if I want to call the Azure AD token URL from postman, how can I get the signed client_assertion JWT ? – MukkuP Aug 04 '20 at 19:18
  • @FeiXue-MSFT the answer was not accepted because it is not clear enough. Tell the steps 1 by 1. Is it possible to created signed jwt using web browser? Organizations are secure, and will have different security rules for code and web. So detailed answer helps –  Jun 13 '21 at 20:41