Application Credentials with Certificate (Sign JWT with Private Key)
Description
Instructions
To use Certificate-Based Authentication Setup please follow the steps listed in [Application Credentials] authentication and once done come back here to finish next stsps.This guide walks you through setting up a certificate-based authentication flow for Microsoft Graph or other Azure AD protected APIs using client credentials and a JWT.
Step 1: Generate a Self-Signed Certificate
You can use OpenSSL or any other way to generate Certificate file but make it simple below example uses PowerShell. Open PowerShell and execute code listed in below steps.
# Run this in PowerShell
#Change .AddYears(1) to desired number. By default it expires certificate in one year as per below code.
$cert = New-SelfSignedCertificate `
-Subject "CN=MyClientAppCert" `
-KeySpec Signature `
-KeyExportPolicy Exportable `
-KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-KeyAlgorithm RSA `
-HashAlgorithm SHA256 `
-NotAfter (Get-Date).AddYears(1) `
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"
# Export private key (.pfx) - Keep this with you to make API calls (SECRET KEY - DONOT SHARE)
$pfxPath = "$env:USERPROFILE\Desktop\private_key.pfx"
$pwd = ConvertTo-SecureString -String "yourStrongPassword123" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath $pfxPath -Password $pwd
# Export public certificate (.cer) - UPLOAD this to Azure Portal
$cerPath = "$env:USERPROFILE\Desktop\public_key.cer"
Export-Certificate -Cert $cert -FilePath $cerPath
Step 2: Register or Configure an App in Azure AD
- Go to https://portal.azure.com
- Navigate to Azure Active Directory > App registrations
- Click + New registration or open an existing app
- Copy the Application (client) ID and Directory (tenant) ID
Step 3: Upload the Certificate
- In your App Registration, go to Certificates & secrets
- Under Certificates, click Upload certificate
- Select the
.cerfile (public certificate) - Click Add
Step 4: Grant API Permissions
- Go to the API permissions tab
- Click Add a permission
- Select Microsoft Graph (or another API)
- Choose Application permissions
- Add scopes such as:
-
Sites.Read.All -
Sites.ReadWrite.All -
Files.Read.All -
Files.ReadWrite.All -
email -
offline_access -
openid -
profile -
User.Read
-
- Click Grant admin consent (requires admin)
Step 5: Use PFX file
Once both files generated perform the following steps to use PFX file., , Use the Certificate file (*.pfx) Now its time to use pfx file generated in the previous step. PFX file contains private key and public key both.- On ZappySys Connection UI Go to
Certificate Tab - Change Storage Mode to Local PFX File (or you can Import PFX file in Certificate Storage - User Store / Machine Store and use that way)
- Supply the pfx file path or select certificate from Local Certificate Store if you imported that way in earlier step
- Supply the certificate password (same password used in earlier PowerShell script)
- Test connection see everything is good
Parameters
| Parameter | Required | Default value | Options | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
Name: TokenUrl
Label: Token URL |
YES |
|
|||||||||
|
Name: ClientId
Label: Client ID |
YES | ||||||||||
|
Name: Certificate Label: Certificate: *** Configure [Client Certificate] Tab *** |
YES |
|
|||||||||
|
Name: SiteId Label: Default Site Id |
YES |
root
|
|||||||||
|
Name: DriveId Label: Default Drive Id |
|||||||||||
|
Name: RetryMode Label: RetryMode |
RetryWhenStatusCodeMatch
|
|
|||||||||
|
Name: RetryStatusCodeList Label: RetryStatusCodeList |
429|503|423
|
||||||||||
|
Name: RetryCountMax Label: RetryCountMax |
5
|
||||||||||
|
Name: RetryMultiplyWaitTime Label: RetryMultiplyWaitTime |
True
|
||||||||||
|
Name: SearchOptionForNonIndexedFields Label: Search Option For Non-Indexed Fields (Default=Blank - Search Only Indexed) |
|
||||||||||
|
Name: ExtraHeaders Label: Extra Headers (e.g. Header1:AAA||Header2:BBB) |
|
||||||||||
|
Name: IsAppCred Label: IsAppCred |
1
|