adal4j : certificate based authentication error : invalid JWT token

Question

I am using adal4j v1.1.2 to get token based on client certificate.

Snippet referred: Why does AcquireToken with ClientCredential fail with invalid_client (ACS50012)?

String AAD_HOST_NAME = "login.windows.net";
String AAD_TENANT_ID = "XXX";
String AAD_TENANT_ENDPOINT = "https://" + AAD_HOST_NAME + "/" + AAD_TENANT_ID + "/";
String AAD_CLIENT_ID = "XXX";
String AAD_RESOURCE_ID = "https://vault.azure.net";
String AAD_CERTIFICATE_PATH = "/XXX.pfx";
String AAD_CERTIFICATE_PASSWORD = "XXX";
String AAD_CLIENT_SECRET = "XXX";

ExecutorService service = ExecutorServiceHelper.createThreadPool(1, "azureHSMClientExecutorService-");

KeyStore keystore = KeyStore.getInstance("PKCS12", "SunJSSE");
keystore.load(new FileInputStream(AAD_CERTIFICATE_PATH),AAD_CERTIFICATE_PASSWORD.toCharArray());
String alias = keystore.aliases().nextElement();
PrivateKey key = (PrivateKey) keystore.getKey(alias, AAD_CERTIFICATE_PASSWORD.toCharArray());
X509Certificate cert = (X509Certificate) keystore.getCertificate(alias);
AsymmetricKeyCredential asymmetricKeyCredential = AsymmetricKeyCredential.create(AAD_CLIENT_ID,key, cert);
AuthenticationContext ctx = new AuthenticationContext(AAD_TENANT_ENDPOINT, false, service);
Future<AuthenticationResult> result = ctx.acquireToken(AAD_RESOURCE_ID, asymmetricKeyCredential, null);
AuthenticationResult authenticationResult = result.get();
String token = authenticationResult.getAccessToken();

This results in following auth exception

AuthenticationException: com.microsoft.aad.adal4j.AuthenticationException: {"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50027: Invalid JWT token. No certificate thumbprint specified in token header.\r\nTrace ID: 9719e621-d8ef-4194-93cd-a78103d5df6b\r\nCorrelation ID: f0300795-fb99-44b2-bd95-8df3975290be\r\nTimestamp: 2016-08-29 13:51:26Z"}

I'm not sure how to pass thumbprint while calling acquireToken. Is anything missing here?

Can you show us how you are constructing `asymmetricKeyCredential`? — Philippe Signoret, Aug 29 '16 at 14:49
The error you are getting is probably because the client is not correctly configured in AAD. I tried the same code and repro on my side and I got the token as expected using 1.1.2. Can you share how did you configure the client app to use certificates in AAD? — Kanishk Panwar, Sep 02 '16 at 01:58
can you also capture and share how JWT going to AAD looks like? remove the signature etc. — Kanishk Panwar, Sep 02 '16 at 02:11
When i downgraded to v1.0.0 , whole flow worked without any other change.Issue seems to be link with difference in the way token is generated b/w lib versions? — YogeshORai, Sep 02 '16 at 04:19

Peter Pan · Answer 1 · 2016-09-02T09:35:51.303

According to your code, it seems that you want to authenticate with Azure Service Management API using certificate, but the code for getting access token seems to authenticate using Azure AD. You can refer to the article Authenticating Service Management Requests to know their differences.

As reference, there is a blog which introduce how to consume Windows Azure Service Management API with certificate in Java.

However, per my experience, according to the code String AAD_RESOURCE_ID = "https://vault.azure.net"; , it also seems that you want to do some management operations for Azure Key Vault. Withing the REST API reference for Azure Key Vault Management, you should get the access token with Azure Resource Manager to do those operations. So if you want to manage Key Vault, please refer to the other blog to know how to authenticate with ARM in Java.

Hope it helps.

Update:

The AAD_RESOURCE_ID for Key Vault should be like /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{vault-name}, please refer to the article https://msdn.microsoft.com/en-us/library/azure/mt620025.aspx and search the keyword resource id and see as the figure below.

And you can get the resource id via Azure CLI command azure keyvault show --vault-name <your-keyvault-name>.

adal4j : certificate based authentication error : invalid JWT token

1 Answers1