I was trying to obtain JWT token from Microsoft Azure Active Directory using Certificate credentials for application authentication.
I am struck at figuring out the value of "x5t".
I have tried with
But i keep getting below error when send the request to MSA login endpoint
{
"error": "invalid_client",
"error_description": "AADSTS70002: Error validating credentials. AADSTS50012: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: '6F67F76B96F6FBBDF9D3EE1DDF7F9A7B877EE9C75DEDBD3DE9C7FB', Configured keys: [Key0:Start=06/01/2018, End=12/31/2099, Thumbprint=6WGktXA64QmA9TPv;Key1:Start=06/01/2018, End=12/31/2099, Thumbprint=rD9Q10sR6Q6ZkDVw;]]\r\nTrace ID: d9e3e276-e878-4b8a-b08b-10c82a0b0600\r\nCorrelation ID: 48ec889d-2376-45a6-9bf0-01b22b0e0c17\r\nTimestamp: 2018-06-01 09:38:24Z",
"error_codes": [
70002,
50012
],
"timestamp": "2018-06-01 09:38:24Z",
"trace_id": "d9e3e276-e878-4b8a-b08b-10c82a0b0600",
"correlation_id": "48ec889d-2376-45a6-9bf0-01b22b0e0c17"
}
How to obtain the value for "x5t" ?
x5t: x5t is the X509 certificate's thumbprint. That is the certificate whose private key was used to sign the JWT. kid: kid id the key id indicating which key was used to sign the JWT token.
I found this site and this one invaluable for solving the x5t issue. The easiest way to do it is to manually get the fingerprint:
echo $(openssl x509 -in your.cert.pem -fingerprint -noout) | sed 's/SHA1 Fingerprint=//g' | sed 's/://g' | xxd -r -ps | base64
the value from the above command is the value you put in the x5t field in the JWT. Prior to that I was getting invalid fingerprint error from azure.
If you're using Ruby you can follow this answer to get:
p12 = OpenSSL::PKCS12.new(File.read(CERT_FILE), '')
x509_sha1_thumbprint = Base64.encode64(OpenSSL::Digest::SHA1.new(p12.certificate.to_der).to_s.upcase.scan(/../).map(&:hex).pack("c*")).strip
jwt_token = JWT.encode payload, p12.key, 'RS256', { typ: 'JWT', x5t: x509_sha1_thumbprint }
The x5t
should be the X509 certificate's SHA-1 thumbprint, base64url-encoded:
4.1.7. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter
The "x5t" (X.509 certificate SHA-1 thumbprint) Header Parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate [RFC5280] corresponding to the key used to digitally sign the JWS. Note that certificate thumbprints are also sometimes known as certificate fingerprints. Use of this Header Parameter is OPTIONAL.
Source: RFC7515 — https://www.rfc-editor.org/rfc/rfc7515#section-4.1.7
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With