The idea is:
To perform “private_key_jwt” Client Authentication following the Microsoft Identity platform Assertion header format using the JWT node to create a client assertion that is accepted by the Microsoft Identity Platform. The header must contain the x5t#S256 parameter which currently is not available as node option.
My use case:
Sign in to Microsoft Graph using custom application certificate credentials.
I think it would be beneficial to add this because:
When comparing this to the OAuth2 API Client Credentials grant type (Client ID + Client Secret) there are benefits in using Confidential Client Assertions. These benefits would be providing stronger security and scalability.
Any resources to support this?
Using the Crypto node to sign is also possible, but this node does not store the Private Key as a credential, does not perform base64url encoding and we have to generate our own header and payload using extra nodes. This make it less secure and more complex. We are also exploring the option of using Azure Key Vault to perform the sign operation externally but this requires additional recources and complexity.
Microsoft identity platform certificate credentials - Microsoft identity platform | Microsoft Learn
RFC 7515 - JSON Web Signature (JWS)