Sorry for my late response. As you say, client_assertion is also JWT, in which some specific format of payload is signed with your (your application’s) key which is the generated certificate in Azure AD. (The key (in key pairs) is also stored in Azure AD and then Azure AD can verify your signed JWT.)
I’m sorry, but there’s no appropriate document describing about this “specific format of payload”.
The easy way to find this format (payload) is to capture HTTP traffic generated by C# (MSAL) with Fiddler or other development tools. And you can soon parse the captured JWT in internet parser, such like https://jwt.io/ , and can get the original payload.
After you know this original payload format, you can sign (create a signature) with a lot of tools, such as, openssl or others.
(See my post /2016/03/08/azure-ad-msa-v2-endpoint-validate-id_token/ for details about JWT format. This post uses php openssl function for verification. In this case, you should sign, not verify.)
Sorry for not providing an exact answer for your question, but I think this will help you understand how to sign by yourself without MSAL.

LikeLike

Liked this post very much, have a question:
You have mentioned a note about using a certificate instead of a secret as :
“Note : You can also use certificate, instead of client secret (password). When using the certificate, first you download a private key (pfx file) and use this key in your application. The application signs token using this key, generate JWT, and attach this JWT as “client_assertion” property in POST body.”

I am trying to get an access token from a Azure AD using a certificate instead of a client_secret from postman, can you please suggest on the “client_assertion” JWT generation part to be used in postman, is there any other method or way apart from c# code to generate the client_assertion JWT, since i want to get the access token from postman.

Also, is there any other authentication type that can be used with a certificate if you are aware about ?

Regards,
Ravindra R Pathak

LikeLike