Use CAI to Get an OAuth Token from Microsoft Azure AD Using OAuth 2.0 Client Credentials Grant Flow (X509 Certificate or Shared Secret)

Version 1

    In this document, we will create a Cloud Application Integration service connector to Microsoft Azure to get an OAuth bearer token, which can then be used call Azure services.




    In this document, you learn how to use a Cloud Application Integration service connector to retrieve an OAuth bearer token from Microsoft Azure using OAuth 2.0 Client Credentials Grant Flow. You use either shared secrets or private certificates. This connector is typically used in service (CAI) to service (Azure) calls.



    Before you create a service connector to Microsoft Azure, you must perform the following tasks:

    1. Setup a keystore on a machine where a Secure Agent is installed. The keystore should contain the (self-signed or signed by a CA) certificate chain and private key in JKS format or PKCS12 format. This file must have a .jks or .p12 extension. Make note of the keystore file path, entry name/alias and necessary credentials to access the keystore and the key entry. The public certificate should also be exported or made available so that you can upload it into Azure.  Make note of the public certificate’s SHA1 fingerprint. (You can also get this value from Azure).
    2. Register an application in your Microsoft Azure account. The application must have an Application ID, highlighted in the image below:




    1. Upload the public key, in the .cer format so you can retrieve the thumb prints (SHA1 fingerprint) exposed by the Microsoft Azure application UI to be used later in the CAI Connection.



    Keep the following connection properties handy for when you create a connection to Microsoft Azure:

    • Resource: The application resource URI or the App ID URI. See Azure Portal->Active Directory->App Registrations->[App]->Settings->Properties (as given above )
    • Azure_Tenant_ID: The Azure Tenant ID for or the Active Directory ID found in Azure Portal -> Azure AD -> Properties.
    • Client_ID: The Azure AD application ID of the calling web service. This is the App ID found in Azure Portal->Active Directory->App Registrations. (as in b above)
    • Client_Secret: This is required only for getting access tokens with a shared secret. See Azure Portal->Active Directory->App Registrations->[App]->Settings->Keys - Passwords. Note: Leave this blank if you are using certificates as your credential.
    • Keystore_File: The file path to keystore file on the Secure Agent containing the certificate chain and private key in JKS format or PKCS12 format. Required when getting an access token using X509 certificate. This file must have a. jks or. p12 extension.
    • Key_Password: The password needed to access the key. Required when using certificate based authentication. If the key password and store file passwords are different, then specify store password below.
    • SHA1_Fingerprint: The SHA-1 fingerprint of the certificate. This consists of 40 hex characters, commonly display as 20 pairs (1 byte) of hex characters separated by a colon. Required when getting an access token using an X.509 certificate. Get the SHA-1 fingerprint from Azure Portal->Active Directory->App Registrations->[App]->Settings->Keys - Public Keys Thumbprints. This is explained in c above.
    • Token_Duration_Secs: The duration (in seconds) of the JSON Web Token This is used to calculate the expiration date of the JWT generated with certificates.
    • Keystore_Password: Password for the keystore file if different from the key password. This password is used to open the keystore.
    • Keystore_Alias: Entry name or alias for key in the entry. Required if there is more than one entry in the keystore file.
    • Keystore_Type: Enter JKS (default) or PKCS12 (for. p12 files). This property is optional.


    Import and Edit the Service Connector

    Perform the following steps to import and edit a service connector to Microsoft Azure Multi-Factor Authentication:

    1. Import the attached service connector. You will find the following actions:
      1. GetAccessTokenUsingCertificate
      2. GetAccessTokenUsingSharedSecret


    This service has been created with references from:




    1. On the Properties > Connection Properties section of the service connector, fill in the properties.
      Note: You do not need to fill in the Client Secret. This is required only for getting the access token with a shared secret (action b as mentioned above).
    2. Verify that the right action and Secure Agent are selected before you click the Test button and verify the results in the Test tab.
    3. The Output Fields results contains the required access token in the format as below:


    For both these operations, GetAccessTokenUsingCertificate and GetAccessTokenUsingSharedSecret, the result set will look like the following payload. This information is available to Processes as a Process Object.


    <access_token>eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImlCakwxUmNxemhpeTRmcHhJeGRacW9oTTJZayIsImtpZCI6ImlCakwxUmNxemhpeTRmcHhJeGRacW9oTTJZayJ9.… lot more characters …  34P52Fgp1Z52Oq4BhGNVFM53tRWqiQZXAdlPmevtZ3oT8nxs1wIHoQPwvbkbhI01JCHGSMZPHRcOx72jPseCGO_4CDf53RPwd3oJ9df6SU-pg</access_token>









    Use the Service Connector in a Process

    Perform the following steps to create a process and use the service connector you imported:

    • Verify the service connector test results. If successful, publish the service connector.
    • Create a connection for the service connector. You will need to enter connection properties. The following image shows the connection Properties tab with all details entered:


    • Use the connection in an Application Integration process to get the OAuth bearer token and use it in an operation.


    Please find attached a sample service Connector, connection and a process using them.