Make use of the certificate-based authentication scheme for JSON Web Token (JWT)
to securely send and receive emails through Microsoft Graph.
Alternatively to the client secret authentication scheme, your application might use the
certificate-based authentication scheme for JWTs. Certificate-based authentication
utilizes access token requests with certificates to provide a concise and clear way of
transferring information between the two parties in a JSON object, while also
maintaining an adequate level of security.
In this authentication method, a server grants a self-contained token which has
authentication information, expiration time information, and other user-defined claims
that are digitally signed. After you obtain a JSON Web Token, you can use that token to
perform actions for which you are authorized on the target server.
Before you begin:
Ensure that you have access to the Java Keytool utility by downloading and
installing a version of Java Runtime Environment (JRE) or Java SDK.
Add and register an application in the Microsoft Azure portal so that you can
integrate the application with the Microsoft identity platform and call
Microsoft Graph. Ensure that you have administrative access to the
application.
Note the client ID and client
secret parameter values of your application.
Generating the JWT keystore and certificate files
Open your preferred terminal tool.
Use the keytool utility to generate the
.jks keystore file by entering the following command in
the command prompt:
In the Client configuration section, in the
Grant type list, select Client
credentials.
Populate the values of the Client Identifier and
Client secret fields.
In the Scope field, provide the degree of access
control for the JWT.For example: read
Note: Consider the following points when
configuring the scope of access control:
If you do not specify the scope in the request, the target
server might return a default scope, something else, or fail
the request.
You can configure the token with multiple access scopes. In
such case, separate each scope with a space, for example,
read write
In the Endpoint configuration section, in the
Access token endpoint field, enter the URL
that grants the authorization to access the protected resource.
Expand the Advanced configuration section.
In the Authentication scheme list, select
Private Key JSON Web Token.
Select Use JWT generation profile.
In the JWT generation profile field, enter the
name of the token generation profile that you created by following steps
6 through 10.
See the following figure for reference:Configuring client authentication scheme for JSON Web
Token
What to do next: Create an email account that references the OAuth 2.0
authentication profile, and then confirm that you configured the integration properly by
testing connectivity. For more information, see Configuring outbound email in Dev Studio.
Previous topic
OAuth 2.0 authentication for email providers