SSH Certificates

Note: this feature will be available from MSAL 4.3.2 onward

AAD is capable of issuing SSH certificates instead of bearer tokens. These are not the same as SSH public keys. Currently this is available as an extension method on AcquireTokenSilent and AcquireTokenInteractive.

var result = await pca
    .AcquireTokenSilent(s_scopes, account)
    .WithSSHCertificateAuthenticationScheme(jwk, "keyID1")
    .ExecuteAsync();

Paramters:

jwk = The public SSH key in JWK format as described at https://tools.ietf.org/html/rfc7517 . Currently only RSA with a minimum key size of 2048 bytes is supported.
keyID = Any string that distinguishes between keys (usually hash of the key, but format is not important)

Example creating a JWK

private string CreateJwk()
{
     RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(2048);
     RSAParameters rsaKeyInfo = rsa.ExportParameters(false);

     // Algorithm behind Base64UrlHelpers.Encode is described here https://www.rfc-editor.org/rfc/rfc7515.html#appendix-C
     string modulus = Base64UrlHelpers.Encode(rsaKeyInfo.Modulus); 
     string exp = Base64UrlHelpers.Encode(rsaKeyInfo.Exponent);
     string jwk = $"{{\"kty\":\"RSA\", \"n\":\"{modulus}\", \"e\":\"{exp}\"}}";

     return jwk;
}

Getting started with MSAL.NET

Acquiring tokens

AcquireTokenSilent

Desktop/Mobile apps

AcquireTokenInteractive
WAM - the Windows broker
.NET Core
Maui Docs
Custom Browser
Applying an AAD B2C policy
Integrated Windows Authentication for domain or AAD joined machines
Username / Password
Device Code Flow for devices without a Web browser
ADFS support

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SSH Certificates

Getting started with MSAL.NET

Acquiring tokens

Desktop/Mobile apps

Web Apps / Web APIs / daemon apps

Advanced topics

News

FAQ

Other resources

Clone this wiki locally