Use pfx certificate to get Microsoft Entra token - Error: secretOrPrivateKey must be an asymmetric key when using RS256
I tried different ways to get an Azure AD token using a pfx certificate. But the code below is persistently returning this error: Error: secretOrPrivateKey must be an asymmetric key when using RS256
I also tried using @azure/keyvault-certificates and azure/identity, then genrating .pem files with open ssl, and in that case I also get the same error.
const axios = require('axios');
const fs = require('fs');
const path = require('path');
const https = require('https');
const qs = require('querystring');
const jwt = require('jsonwebtoken');
const certPath = path.join(__dirname, 'certificate.pfx');
const certBuffer = fs.readFileSync(certPath);
const tokenEndpoint = 'https://login.microsoftonline.com/my-tenant-id/oauth2/token';
const clientId = 'my-app-id';
const tokenPayload = {
aud: tokenEndpoint,
iss: clientId,
sub: clientId,
jti: Math.random().toString(36).substring(7),
nbf: Math.floor(Date.now() / 1000),
exp: Math.floor(Date.now() / 1000) + 3600,
};
const tokenOptions = {
algorithm: 'RS256',
};
const clientAssertion = jwt.sign(tokenPayload, certBuffer, tokenOptions);
console.log('Client Assertion:', clientAssertion);
const postData = {
grant_type: 'client_credentials',
client_id: clientId,
resource: 'resource',
client_assertion: clientAssertion,
client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
};
const axiosConfig = {
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
httpsAgent: new https.Agent({
pfx: certBuffer,
passphrase: '',
rejectUnauthorized: true,
}),
};
async function getToken() {
try {
const response = await axios.post(tokenEndpoint, qs.stringify(postData), axiosConfig);
const token = response.data.access_token;
console.log('Token:', token);
return token;
} catch (error) {
console.error('Error:', error.message);
if (error.response) {
console.error('Error response from Azure AD:', error.response.data);
}
throw error;
}
}
getToken().then(token => {
console.log('Token:', token);
}).catch(err => {
console.error('Failed to obtain token:', err);
});
Solution
In my case, I ran below OpenSSL commands to create private key and certificate like this:
openssl genrsa -out sridemo.pem 2048
openssl req -new -key sridemo.pem -out sridemo.csr
openssl x509 -req -days 365 -in sridemo.csr -signkey sridemo.pem -out sridemo.crt
Response:
Make sure to upload sridemo.crt file to your Entra ID app registration and note thumbprint value:
To generate Microsoft Entra token using certificate, I used @azure/msal-node with below sample code:
const fs = require('fs');
const msal = require('@azure/msal-node');
const tenantId = 'tenant_id';
const clientId = 'appId';
const authority = `https://login.microsoftonline.com/${tenantId}`;
const certPath = 'path/to/your/certificate.pem';
const certThumbprint = 'cert_thumbprint';
const scope = 'https://graph.microsoft.com/.default';
// Read the certificate
const privateKey = fs.readFileSync(certPath, 'utf8');
const confidentialClientConfig = {
auth: {
clientId: clientId,
authority: authority,
clientCertificate: {
thumbprint: certThumbprint,
privateKey: privateKey,
},
},
};
const cca = new msal.ConfidentialClientApplication(confidentialClientConfig);
// Acquire a token
async function getToken() {
try {
const tokenResponse = await cca.acquireTokenByClientCredential({
scopes: [scope],
});
console.log('Access Token:', tokenResponse.accessToken);
} catch (error) {
console.error('Error acquiring token:', error);
}
}
getToken();
Response:
To confirm that, you can decode the token in jwt.ms and check claims as below:
Reference:
MSAL NODE · AzureAD/microsoft-authentication-library-for-js (github.com)
- Is it possible to pull css values with HTA javascript?
- What a strange syntax?
- JavaScript / Jest: How to show logs from test case only when test fails?
- How to secure my login page
- How can I create a two-way mapping in JavaScript, or some other way to swap out values?
- Route "/[locale]" used `params.locale`. `params` should be awaited before using its properties
- Page.locator() is the recommended way to select and interact with elements. Why does it offer less functionalities than Page.$()?
- How to filter object array based on attributes?
- How do you convert from emoji to unicode escapes in JS
- How to simulate a mouse click?
- Is it possible to add a single item to a vis.js timeline?
- How to ensure order of Cypress request execution
- Jquery Ajax Problem
- Can I run a function after navigating to a new page and waiting for that page to finish loading?
- Cannot start cocos after adding a new file
- Active link with React-Router?
- Is there a way to schedule offline notifications in a pwa?
- How to get the grid coordinates of an element using JavaScript?
- Bootstrap popper.js Failed to find a valid digest in the 'integrity' attribute for resource
- LeafLet map doesnt render properly on modal
- Create object from array
- How to ignore lines of code from coverage in vitest?
- How to manage CORS in Django
- How can I get an element's Accessible Name in javascript in the browser?
- TypeError: fs.readFileSync is not a function in Next.js
- Show hide divs on click in HTML and CSS without jQuery
- If an IIFE contains just one variable declaration that is immediately exported to global scope, why bother with it?
- Need explanation on following type of Javascript code
- What does an array literal with the `for` keyword inside mean in JavaScript?
- How to call a function every minute in a React component?