Certificate-Based Authentication With the Microsoft Graph API in MuleSoft

This article will demonstrate how to get an access token while using Microsoft Graph via certificate based authentication in MuleSoft. This is used to access Microsoft Graph API(s) for SharePoint operations, drive operations, etc. As there were no out-of-the-box solutions available for the OAuth client credential authentication using certificate, I have come up with a solution of my own.

Before we begin, make sure you have set up your Microsoft Azure App and have gotten your certificate (further explanation can be found in Microsoft document). Below, I will cover MuleSoft implementation, assuming that you have the certificate “.pfx” file and the tenant and client ID from the Azure App.

The steps to get access token are:

1. Create a JWT token from the .pfx certificate parameters: certificate thumbprint and the private key.
2. Using the JWT Token you just created as a parameter, along with client ID and 3 other static parameters, you will get the bearer access token to access the Microsoft Graph API resources.

Please find the implementation steps below. Here is the git repo of the implementation to refer to and copy.

Generate Token Mule Flow

1. To create the JWT token, we first extract the thumbprint and and private key from the certificate. I have written two method in Java to fetch the information. Pass the certificate and the password as input to the Java methods from DataWeave. Please find the CommonUtils.java here.

Fetching the certificate Thumbprint

Fetching the private key in PEM Format

2. To create the JWT token, use the module from this DataWeave library.

Creating JWT Token for client assertion

3. Form the multipart payload, as shown below, to do a POST request to Graph API’s endpoint, /{tenant}/oauth2/v2.0/token, using the JWT token, Client ID, and the 3 static parameters.

Request to graph API for token

4. After the HTTP request component, form the bearer access token from the Graph API response payload.

Form bearer<access-token> from graph API response

5. Take note of the project structure and the config details.

Project Structure

Config file

Please Note Additional Dependencies which are required in POM
<dependency>
<groupId>68ef9520–24e9–4cf2-b2f5–620025690913</groupId><artifactId>data-weave-jwt-library</artifactId><version>1.0.0</version>
<classifier>dw-library</classifier>
</dependency>
<dependency>
<groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId>
<version>2.3.1</version>
</dependency>

6. Now, run and test the generate-access-token flow.

Test access token flow

7. And voila, we received the access token!!

After running fetched Access Token in Postman

And that’s it. Have a great day.