Skip to content

Latest commit

 

History

History
 
 

msal-client-credential-certificate

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
services platforms endpoint page_type author level client service languages products description
active-directory
Java
Microsoft identity platform
sample
ramya25
200
Java console daemon app
Microsoft Graph
java
azure
azure-active-directory
java
office-ms-graph
This sample demonstrates how a daemon console app can use a self-signed certificate to get an access token to call Microsoft Graph using MSAL4J.

MSAL Java sample demonstrating how a daemon console application can call Microsoft Graph using its own identity

About this sample

Overview

This app demonstrates how to use the Microsoft identity platform to access the data of Microsoft business customers in a long-running, non-interactive process. It uses the Microsoft Authentication Library (MSAL) for Java to acquire an access token, which it then uses to call Microsoft Graph and accesses organizational data. The sample utilizes the OAuth 2 client credentials grant and a private key/certificate pair to obtain an access token for calls to Microsoft Graph.

Scenario

The console application:

  • Acquires an access token from Azure AD using its own identity (without a user).
  • It then calls the Microsoft Graph /users endpoint to retrieve a list of users, which it then displays on the screen (as a Json blob).

Topology

For more information on the concepts used in this sample, be sure to read the Microsoft identity platform endpoint client credentials protocol documentation.

How to run this sample

To run this sample, you'll need:

Step 1: Clone or download this repository

From your shell or command line:

git clone https://github.com/Azure-Samples/ms-identity-java-daemon.git

or download and extract the repository .zip file.

Step 2: Register the sample with your Azure Active Directory tenant

To register the project, you can:

If you want to use this automation, read the instructions in App Creation Scripts Please note that the configuration of your code (Step 3) still needs to be done manually.

Follow the steps below to manually walk through the steps to register and configure the applications.

Choose the Azure AD tenant where you want to create your applications

As a first step you'll need to:

  1. Sign in to the Azure portal using either a work or school account or a personal Microsoft account.
  2. If your account is present in more than one Azure AD tenant, select your profile at the top right corner in the menu on top of the page, and then switch directory. Change your portal session to the desired Azure AD tenant.
  3. In the portal menu, select the Azure Active Directory service, and then select App registrations.

Register the client app (java-daemon-console)

  1. Navigate to the Microsoft identity platform for developers App registrations page.

  2. Select New registration.

    • In the Name section, enter a meaningful application name that will be displayed to users of the app, for example java-daemon-console.
    • In the Supported account types section, select Accounts in this organizational directory only ({tenant name}).
    • Click Register button at the bottom to create the application.
  3. On the application Overview page, find the Application (client) ID and Directory (tenant) ID values and record it for later. You'll need it to configure the configuration file(s) later in your code.

  4. In the Application menu blade, click on the API permissions in the left to open the page where we add access to the Apis that your application needs.

    • Click the Add a permission button and then,
    • Ensure that the Microsoft APIs tab is selected
    • In the Commonly used Microsoft APIs section, click on Microsoft Graph
    • In the Application permissions section, ensure that the right permissions are checked: User.Read.All
    • Select the Add permissions button at the bottom.
  5. At this stage, the permissions are assigned correctly but since the client app does not allow users to interact, the user's themselves cannot consent to these permissions. To get around this problem, we'd let the tenant administrator consent on behalf of all users in the tenant. Click the Grant admin consent for {tenant} button, and then select Yes when you are asked if you want to grant consent for the requested permissions for all account in the tenant. You need to be the tenant admin to be able to carry out this operation.

Create a private key and certificate

This sample requires a private key in PKCS8 format and a certificate in X509 format.

There are many ways to generate keys and certificates. As one example, below are terminal commands to generate the key and cert using OpenSSL:

Generate the private key in PEM format (used to make the certificate) and create a PKCS8 version (use by the sample application)

  • openssl genrsa -out private_key.pem 2048
  • openssl pkcs8 -topk8 -inform PEM -outform DER -in private_key.pem -nocrypt > pkcs8_key

Generate a certificate using the private key.

  • openssl req -new -key private_key.pem -out cert.csr
    • This first command will ask for a variety of extra information, like company name, country, and a password. None of this is used by the sample, so you can set these values as nothing/anything you want
  • openssl x509 -req -days 365 -in cert.csr -signkey private_key.pem -out cert.crt

Finally, go back to the Azure portalIn the Application menu blade, click on the Certificates & secrets, in the Certificates section, upload the certificate you created.

Step 3: Configure the client app (java-daemon-console) to use your app registration

Open the project in your IDE to configure the code.

In the steps below, "ClientID" is the same as "Application ID" or "AppId" and "Tenant ID" is same as "Directory ID".

  1. Open the msal-client-credential-certificate\src\main\resources\application.properties class
  2. Set the CLIENT_ID property to the application/client ID value you recorded earlier
  3. Replace Tenant_Info_Here in the AUTHORITY property with the directory/tenant ID value you recorded earlier
  4. Set the KEY_PATH property to the path to the private key you generated earlier
  5. Set the CERT_PATH property to the path to the certificate you generated earlier

Step 4: Run the sample

You can test the sample directly by running the main method of ClientCredentialGrant.java from your IDE.

From your shell or command line:

  • $ mvn clean compile assembly:single

This will generate a msal-client-credential-certificate-1.0.0.jar file in your /targets directory. Run this using your Java executable like below:

  • $ java -jar msal-client-credential-certificate-1.0.0.jar

After running, the application should display the list of user in the configured tenant.

About the code

The relevant code for this sample is in the ClientCredentialGrant.java file.

  1. Create the MSAL confidential client application.

    Important note: even if we are building a console application, it is a daemon, and therefore a confidential client application, as it does not access Web APIs on behalf of a user, but on its own application behalf.

       ConfidentialClientApplication app = ConfidentialClientApplication.builder(
                       clientId,
                       ClientCredentialFactory.createFromCertificate(key, cert))
                       .authority(authority)
                       .build();
  2. Define the scopes.

    Specific to client credentials, you don't specify the individual scopes you want to access. You have statically declared them during the application registration step. Therefore the only possible scope is "resource/.default" (here "https://graph.microsoft.com/.default") which means "the static permissions defined in the application"

    // With client credentials flows the scope is ALWAYS of the shape "resource/.default", as the
    // application permissions need to be set statically (in the portal), and then granted by a tenant administrator
    ClientCredentialParameters clientCredentialParam = ClientCredentialParameters.builder(
       Collections.singleton(scope))
       .build();
  3. Acquire the token

    Uses the ConfidentialClientApplication, built with the configured authority/client ID/secret, to acquire an access token

        CompletableFuture<IAuthenticationResult> future = app.acquireToken(clientCredentialParam);
        return future.get();    
  4. Call the API and read result

    In this case calling "https://graph.microsoft.com/v1.0/users" with the access token as a bearer token.

       URL url = new URL("https://graph.microsoft.com/v1.0/users");
       HttpURLConnection conn = (HttpURLConnection) url.openConnection();
    
       //...
    
       try(BufferedReader in = new BufferedReader(new InputStreamReader(conn.getInputStream()))){
    
           String inputLine;
           response = new StringBuilder();
           while (( inputLine = in.readLine()) != null) {
                       response.append(inputLine);
           }
       }
       return response.toString();

Troubleshooting

Did you forget to provide admin consent? This is needed for daemon apps

If you get an Forbidden error when calling the API, this is because the tenant administrator has not granted permissions to the application. Check the steps in Register the client app (daemon-console) above.

Community Help and Support

Use Stack Overflow to get support from the community. Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Make sure that your questions or comments are tagged with [msal java].

If you find a bug in the sample, please raise the issue on GitHub Issues.

If you find a bug in msal4j, please raise the issue on MSAL4J GitHub Issues.

To provide a recommendation, visit the following User Voice page.

Contributing

If you'd like to contribute to this sample, see CONTRIBUTING.MD.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

More information

For more information, see: