如何让 MSAL4J 和 azure-security-keyvault-* 协同工作？

Question

I would like to authenticate with MSAL4J and the certificate stored in Azure Key Vault (AKV). The certificate is a self-signed Azure Key Vault certificate.

I could find an example based on a certificate and key stored locally (file system) but not a certificate created and stored in AKV. How to use the certificate, key, and secret objects obtained from azure-security-keyvault-* with MSAL4J?

1. The key from azure-security-keyvault-keys is com.azure.security.keyvault.keys.models.KeyVaultKey , but MSAL4J expects java.security.PrivateKey .
2. How to apply the secret obtained from azure-security-keyvault-secrets to decrypt the private key?

Answer 1

Are you sure it is supported? As far as I know certificated-based authentication is not supported. MSAL uses either public clients or confidential clients.

• https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-flows-app-scenarios#daemon-app-that-calls-a-web-api-in-the-daemons-name
• https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-client-applications

However, I did find this on their wiki: https://github.com/AzureAD/microsoft-authentication-library-for-java/wiki/Client-Credentials

There are two types of client secrets in MSAL4J:

• Application Secrets
• Certificates

You need to instantiate a confidential client application; if you have a certificate:

String PUBLIC_CLIENT_ID;
String AUTHORITY;
PrivateKey PRIVATE_KEY;  
X509Certificate PUBLIC_KEY;

IClientCredential credential = ClientCredentialFactory.createFromCertificate(PRIVATE_KEY, PUBLIC_KEY);
ConfidentialClientApplication app = 
    ConfidentialClientApplication
        .builder(PUBLIC_CLIENT_ID, credential)
        .authority(AUTHORITY)
        .build();

Then acquire a token: https://github.com/AzureAD/microsoft-authentication-library-for-java/wiki/Acquiring-Tokens#confidential-client-applications

https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/src/client/ConfidentialClientApplication.ts
You would need to use: acquireTokenByClientCredential https://azuread.github.io/microsoft-authentication-library-for-js/ref/classes/_azure_msal_node.confidentialclientapplication.html#acquiretokenbyclientcredential

Also see:

• https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/msal4j-sdk/src/integrationtest/java/com.microsoft.aad.msal4j/CertificateHelper.java
• https://learn.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code
• https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow