0

I would like to authenticate with MSAL4J and the certificate stored in Azure Key Vault (AKV). The certificate is a self-signed Azure Key Vault certificate.

I could find an example based on a certificate and key stored locally (file system) but not a certificate created and stored in AKV. How to use the certificate, key, and secret objects obtained from azure-security-keyvault-* with MSAL4J?

  1. The key from azure-security-keyvault-keys is com.azure.security.keyvault.keys.models.KeyVaultKey, but MSAL4J expects java.security.PrivateKey.
  2. How to apply the secret obtained from azure-security-keyvault-secrets to decrypt the private key?
Xtonic Chen
  • 75
  • 1
  • 5

1 Answers1

0

Are you sure it is supported? As far as I know certificated-based authentication is not supported. MSAL uses either public clients or confidential clients.

However, I did find this on their wiki: https://github.com/AzureAD/microsoft-authentication-library-for-java/wiki/Client-Credentials

There are two types of client secrets in MSAL4J:

  • Application Secrets
  • Certificates

You need to instantiate a confidential client application; if you have a certificate:

String PUBLIC_CLIENT_ID;
String AUTHORITY;
PrivateKey PRIVATE_KEY;  
X509Certificate PUBLIC_KEY;

IClientCredential credential = ClientCredentialFactory.createFromCertificate(PRIVATE_KEY, PUBLIC_KEY);
ConfidentialClientApplication app = 
    ConfidentialClientApplication
        .builder(PUBLIC_CLIENT_ID, credential)
        .authority(AUTHORITY)
        .build();

Then acquire a token: https://github.com/AzureAD/microsoft-authentication-library-for-java/wiki/Acquiring-Tokens#confidential-client-applications

https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/src/client/ConfidentialClientApplication.ts
You would need to use: acquireTokenByClientCredential https://azuread.github.io/microsoft-authentication-library-for-js/ref/classes/_azure_msal_node.confidentialclientapplication.html#acquiretokenbyclientcredential

Also see:

Niclas
  • 1,069
  • 4
  • 18
  • 33
  • I have the certificate, but it was stored in Key Vault. My problem is how could I turn the certificate (and key) from Azure Key Vault into the type which confidential client application is expected? The tricky part is the private key. It is stored as a secret (not key) in key vault. It is in x-application/pkcs12 format. How can I turn it into java.security.PrivateKey? – Xtonic Chen Feb 01 '23 at 08:52