Configuring certificate-based JSON Web Token authentication scheme for Microsoft Graph
Make use of the certificate-based authentication scheme for JSON Web Token (JWT) to securely send and receive emails through Microsoft Graph.
Alternatively to the client secret authentication scheme, your application might use the certificate-based authentication scheme for JWTs. Certificate-based authentication utilizes access token requests with certificates to provide a concise and clear way of transferring information between the two parties in a JSON object, while also maintaining an adequate level of security.
In this authentication method, a server grants a self-contained token which has authentication information, expiration time information, and other user-defined claims that are digitally signed. After you obtain a JSON Web Token, you can use that token to perform actions for which you are authorized on the target server.
- Open your preferred terminal tool.
- Use the
keytool
utility to generate the.jks
keystore file by entering the following command in the command prompt:keytool -genkeypair -alias mydomain -keyalg RSA -keystore <keystore_name.jks> -keysize 2048 -storepass "<keystore_password>"
- Generate a
.cer
certificate file by entering the following command in the command prompt:keytool -v -export -file MicrosoftAzureSMAPI.cer -keystore <keystore_name.jks> -alias mydomain
- Upload the certificate file to Microsoft Azure:
- Open the Microsoft Azure Portal in a browser window, and then log in with admin credentials.
- In the Microsoft Azure Portal, in the Azure Active Directory, search for and open the application that you registered.
- In the Certifications & secrets menu, on the Certificates tab, click Upload certificate.
- Upload the
.cer
file that you generated in step 3 by following the on-screen instructions. - After you upload the file, copy and save the value in the Thumbprint column.
See the following figure for reference:For more information, see the Microsoft Azure documentation. - In Pega Platform, create a keystore by uploading the
.jks
file that you generated in step 2.For more information, see Configuring a keystore by uploading a file. - In Pega Platform, create an instance of a generation JSON
Web Token profile.For more information, see Creating a generation JSON Web Token profile.
- In the Headers section, configure the following header
parameters:
Name Map from Map from key x5t Constant This value is the thumbprint of the certificate that you generated in step 3, converted from the hexadecimal to base64 format. - In the Registered claims section, configure parameters for
the following claims:
Name Map from Map from key Issuer (iss) Constant The external ID of your client ID. Audience (aud) Constant Your tenant ID in the following format: https://login.microsoftonline.com/<tenant_ID>/v2.0 Subject (sub) Constant The external ID of your client ID. - In the Custom claims section, configure parameters for the
following claims:
Name Map from Map from key exp Constant The token expiration time, in the Epoch Unix Timestamp format.
For example, 1644582019 corresponds to Friday, February 11, 2022, 12:20:19, GMT+0000.
jti Constant The unique JWT ID number. nbf Constant The time before which the JWT must not be accepted for processing, in the Epoch Unix Timestamp format. For example, to limit access to a resource to one hour, set this parameter to one hour before the token expiration time.
- In the Security section, configure the token security
settings:
- In the Security configuration list, select Signature.
- In the Signature type list, select Asymmetric.
- In the Signature algorithm field, enter RS256.
- In the Keystore field, enter or select the keystore instance that you created in step 5.
- In the Alias field, enter or select the alias name of the private key from the keystore that you created in step 5.
- In the Password field, enter the keystore password that you created in step 5.
See the following figure for reference: - Enable single sign-on authentication by creating an OAuth 2.0 profile:For more information, see Configuring an OAuth 2.0 authentication profile.
- In the Client configuration section, in the Grant type list, select Client credentials.
- Populate the values of the Client Identifier and Client secret fields.
- In the Scope field, provide the degree of access
control for the JWT.
- In the Endpoint configuration section, in the Access token endpoint field, enter the URL that grants the authorization to access the protected resource.
- Expand the Advanced configuration section.
- In the Authentication scheme list, select Private Key JSON Web Token.
- Select Use JWT generation profile.
- In the JWT generation profile field, enter the
name of the token generation profile that you created by following steps
6 through 10.See the following figure for reference:
Generating the JWT keystore and certificate files
Uploading the JWT keystore and certificate files
Configuring a Java Web Token generation profile
Enabling the OAuth 2.0 authentication method for the JWT
Previous topic OAuth 2.0 authentication for email providers Next topic Creating an email listener