Search code examples
azurecertificateazure-active-directoryazure-authentication

customKeyIdentifier value not working as x5t after uploading public certificate

I was trying to obtain JWT token from Microsoft Azure Active Directory using Certificate credentials for application authentication. I am using customKeyIdentifier value as x5t while generating the JWT token)

There are two ways to create the app

1) App Registrations(Legacy)
2) App Registrations

enter image description here

After creating the app test-app-13 from any of above two places. I uploaded the same public certificate file from two paths below to get the customKeyIdentifier.

1) AzureActiveDirectory-> AppRegistrations(Legacy) -> test-app-13->Settings->Keys->Upload public key

header = {
"alg": "RS256",
"typ": "JWT",
"x5t": "oO/ImH7U2wcypCvrY+iYalHOOmg="
};

When I am using "x5t": "oO/ImH7U2wcypCvrY+iYalHOOmg=" then authentication works.

enter image description here

2) AzureActiveDirectory-> AppRegistrations -> test-app-13-> Certificates & secrets -> Upload certificate

header = {
"alg": "RS256",
"typ": "JWT",
"x5t": "A0EFC8987ED4DB0732A42BEB63E8986A51CE3A68"
};

But when I am using "x5t": "A0EFC8987ED4DB0732A42BEB63E8986A51CE3A68" then I keep getting error

  {  
  "error":"invalid_client",
  "error_description":"AADSTS700027: Client assertion contains an invalid 
  signature. [Reason - The key was not found., Thumbprint of key used by 
  client: 
  '0341050BCF7CEC40F80C1D3BDF6038D81101EB713CF7CE80E75084DC0EBC', Please 
  visit 'https://developer.microsoft.com/en-us/graph/graph-explorer' 
  and query for 
  'https://graph.microsoft.com/beta/applications/2e452b20-df6d-4228- 
  83c6-5742b1a8f59c' to see configured keys]\r\nTrace ID: 0a77a624- 
  684d-4145-9ce5-d19e1b6ccb00\r\nCorrelation ID: 09254eb4-6128-4e18-a 
  bf6-70b5e9a68960\r\nTimestamp: 2019-05-09 12:39:29Z",
  "error_codes":[700027],
  "timestamp":"2019-05-09 12:39:29Z",
  "trace_id":"0a77a624-684d-4145-9ce5-d19e1b6ccb00",
  "correlation_id":"09254eb4-6128-4e18-abf6-70b5e9a68960"
  }

enter image description here

.

My question is why "x5t": "A0EFC8987ED4DB0732A42BEB63E8986A51CE3A68I" not working if uploading the public certificate from path AzureActiveDirectory-> AppRegistrations -> test-app-13->Settings-> Certificates & secrets -> Upload certificate and why the value of customKeyIdentifier is generated differently from these two places?

Solution

  • The two values you reference are the same, try running this hex2base64 on them.

    One is base64 encoded oO/ImH7U2wcypCvrY+iYalHOOmg= and the other a hexadecimal representation A0EFC8987ED4DB0732A42BEB63E8986A51CE3A68I.

    It appears that the graph service only supports the value when base64 encoded.