Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Configuring certificate-based JSON Web Token authentication scheme for Microsoft Graph

Updated on April 6, 2022

Make use of the certificate-based authentication scheme for JSON Web Token (JWT) to securely send and receive emails through Microsoft Graph.

Alternatively to the client secret authentication scheme, your application might use the certificate-based authentication scheme for JWTs. Certificate-based authentication utilizes access token requests with certificates to provide a concise and clear way of transferring information between the two parties in a JSON object, while also maintaining an adequate level of security.

In this authentication method, a server grants a self-contained token which has authentication information, expiration time information, and other user-defined claims that are digitally signed. After you obtain a JSON Web Token, you can use that token to perform actions for which you are authorized on the target server.

Before you begin:
  • Ensure that you have access to the Java Keytool utility by downloading and installing a version of Java Runtime Environment (JRE) or Java SDK.
  • Add and register an application in the Microsoft Azure portal so that you can integrate the application with the Microsoft identity platform and call Microsoft Graph. Ensure that you have administrative access to the application.
  • Note the client ID and client secret parameter values of your application.

    Generating the JWT keystore and certificate files

  1. Open your preferred terminal tool.
  2. Use the keytool utility to generate the .jks keystore file by entering the following command in the command prompt:
    keytool -genkeypair -alias mydomain -keyalg RSA -keystore <keystore_name.jks> -keysize 2048 -storepass "<keystore_password>"
  3. Generate a .cer certificate file by entering the following command in the command prompt:
    keytool -v -export -file MicrosoftAzureSMAPI.cer -keystore <keystore_name.jks> -alias mydomain
  4. Uploading the JWT keystore and certificate files

  5. Upload the certificate file to Microsoft Azure:
    1. Open the Microsoft Azure Portal in a browser window, and then log in with admin credentials.
    2. In the Microsoft Azure Portal, in the Azure Active Directory, search for and open the application that you registered.
    3. In the Certifications & secrets menu, on the Certificates tab, click Upload certificate.
    4. Upload the .cer file that you generated in step 3 by following the on-screen instructions.
    5. After you upload the file, copy and save the value in the Thumbprint column.
    See the following figure for reference:
    Uploading the public key in Microsoft Azure
    The Certificates and secrets menu in the Microsoft Azure Portal where you upload the public key for JWT authentication.
    For more information, see the Microsoft Azure documentation.
  6. In Pega Platform, create a keystore by uploading the .jks file that you generated in step 2.
  7. Configuring a Java Web Token generation profile

  8. In Pega Platform, create an instance of a generation JSON Web Token profile.
  9. In the Headers section, configure the following header parameters:
    NameMap fromMap from key
    x5tConstantThis value is the thumbprint of the certificate that you generated in step 3, converted from the hexadecimal to base64 format.
  10. In the Registered claims section, configure parameters for the following claims:
    NameMap fromMap from key
    Issuer (iss)ConstantThe external ID of your client ID.
    Audience (aud)ConstantYour tenant ID in the following format: https://login.microsoftonline.com/<tenant_ID>/v2.0
    Subject (sub)ConstantThe external ID of your client ID.
  11. In the Custom claims section, configure parameters for the following claims:
    NameMap fromMap from key
    expConstant

    The token expiration time, in the Epoch Unix Timestamp format.

    For example, 1644582019 corresponds to Friday, February 11, 2022, 12:20:19, GMT+0000.

    jtiConstantThe unique JWT ID number.
    Note: The purpose of JWT ID is to revoke previously issued JWTs.
    nbfConstantThe time before which the JWT must not be accepted for processing, in the Epoch Unix Timestamp format.

    For example, to limit access to a resource to one hour, set this parameter to one hour before the token expiration time.

  12. In the Security section, configure the token security settings:
    1. In the Security configuration list, select Signature.
    2. In the Signature type list, select Asymmetric.
    3. In the Signature algorithm field, enter RS256.
    4. In the Keystore field, enter or select the keystore instance that you created in step 5.
    5. In the Alias field, enter or select the alias name of the private key from the keystore that you created in step 5.
    6. In the Password field, enter the keystore password that you created in step 5.
    See the following figure for reference:
    Configuring the JWT security settings
    The Security section of the JWT generation token profile.
  13. Enabling the OAuth 2.0 authentication method for the JWT

  14. Enable single sign-on authentication by creating an OAuth 2.0 profile:
    1. In the Client configuration section, in the Grant type list, select Client credentials.
    2. Populate the values of the Client Identifier and Client secret fields.
    3. In the Scope field, provide the degree of access control for the JWT.
      For example: read
      Note: Consider the following points when configuring the scope of access control:
      • If you do not specify the scope in the request, the target server might return a default scope, something else, or fail the request.
      • You can configure the token with multiple access scopes. In such case, separate each scope with a space, for example, read write
    4. In the Endpoint configuration section, in the Access token endpoint field, enter the URL that grants the authorization to access the protected resource.
    5. Expand the Advanced configuration section.
    6. In the Authentication scheme list, select Private Key JSON Web Token.
    7. Select Use JWT generation profile.
    8. In the JWT generation profile field, enter the name of the token generation profile that you created by following steps 6 through 10.
      See the following figure for reference:
      Configuring client authentication scheme for JSON Web Token
      The Client authentication section in an OAuth 2.0 authentication profile.
What to do next: Create an email account that references the OAuth 2.0 authentication profile, and then confirm that you configured the integration properly by testing connectivity. For more information, see Configuring outbound email in Dev Studio.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us