CODEWITHSUNDEEP
c#azurepowershellazure-active-directory
吳文喬
吳文喬

Reputation: 171

Did New-AzureADApplicationKeyCredential double base64 encode for CustomKeyIdentifier and Value?

I am using New-AzureADApplicationKeyCredential to create a KeyCredential for an application. document

At first, I base64 encode the Thumbprint

$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cer.Import("C:\Users\PFuller\Desktop\abc.cer") 
...
$bin = $cer.GetCertHash()
$base64Thumbprint = [System.Convert]::ToBase64String($bin)
...
New-AzureADApplicationKeyCredential -ObjectId <id> 
                                    -CustomKeyIdentifier $base64Thumbprint  
                                    -Type AsymmetricX509Cert 
                                    -Usage Verify -Value $base64Value

But the result on AAD manifest is double base64 encoded:

"keyCredentials": [
        {
            "customKeyIdentifier": "base64(base64Thumbprint)",
            ...
        }
    ],

According to Microsoft identity platform application authentication certificate credentials

The customKeyIdentifier should only base64 encoded once and store on manifest's keyCredentials.

Did I misuse this cmd or something wrong here? becase after I turned the manifest to base64 encoded once, every thing works properly.

Thanks for help.

Upvotes: 0

Views: 375

Answers (1)

Allen Wu
Allen Wu

Reputation: 16438

Based on my test, both customKeyIdentifier and value are double base64 encoded when we create a KeyCredential for an application using New-AzureADApplicationKeyCredential.

After that I use the following code to get the access token with this cert:

var app = ConfidentialClientApplicationBuilder.Create("{clientId}")
               .WithAuthority(AzureCloudInstance.AzurePublic, "{tenantId}")
               .WithCertificate(cer)
               .Build();
var result = await app.AcquireTokenForClient(new[] { "https://graph.microsoft.com/.default" }).ExecuteAsync();
Console.WriteLine(result.AccessToken);

I find that we can successfully get the access token with correct roles.

So I think New-AzureADApplicationKeyCredential base64 encodes customKeyIdentifier and value for another time. But it also handles them correctly when we use the X509Certificate to get an access token.

Upvotes: 1

Related Questions