Azure AD by default uses a certificate to sign an OAuth2 JWT token using an asymmetric algorithm (RS256). Alternatively a JWT token can be signed with a “shared” secret using a symmetric algorithm (HS256). Asymmetric signing algorithm is always more secure in preventing the token to be tampered with compared to a symmetric algorithm since the private key is always kept at the Identity Provider (IDP) and the token consumer…
Read MoreHow to use postman to perform a Client Credentials Grant flow with a certificate
This post will demonstrate a couple of things: How to create a signed jwt token (aka Client Assertion) using Powershell. How to use this generated Client Assertion in Postman to get an Access Token Using Client Credentials Grant Flow. To get an Access Token using Client-Credentials Flow, we can either use a Secret or a Certificate. This post will use a self-signed certificate to create the client assertion using both…
Read More