ZAP Scan Automation using Azure DevOps

Question

Hey Team,&nbsp;I have implemented ZAP Scan for one of the microservices. I need to get the access token from the Azure AD B2C using client assertion for the microservice. I have registered my application under the Azure AD B2C, to generate the client assertion which technique should I follow(like MSAL) or any insights from your end.&nbsp;Are there any other approach to get the access token from Azure AD B2C or Azure AD B2E with out passing the client secret.If there is a solution how I need to automate the whole process using the powershell or python. Please share your valid thoughts.&nbsp;Thank you for your patience.

kidd_ip · Answer

Try Clietn Credential Flow + Client Assertion:
&nbsp;
1. Register a certificate with your Azure AD B2C application2. Generate a signed JWT as the client assertion3. Request a token using this assertionMSAL doesn’t natively generate client assertion JWTs, but you can use System.IdentityModel.Tokens.Jwt:
# Load your certificate
$cert = Get-PfxCertificate -FilePath "path-to-cert.pfx"

# Generate JWT client assertion manually
# Then use Invoke-RestMethod to call the token endpoint:
$body = @{
    client_id = "&lt;your-client-id&gt;"
    scope = "https://&lt;tenant&gt;.onmicrosoft.com/&lt;api&gt;/read"
    grant_type = "client_credentials"
    client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
    client_assertion = "&lt;your-JWT&gt;"
}

$response = Invoke-RestMethod -Uri "https://&lt;tenant&gt;.b2clogin.com/&lt;tenant&gt;.onmicrosoft.com/&lt;policy&gt;/oauth2/v2.0/token" -Method POST -Body $body
&nbsp;

Forum Discussion

ZAP Scan Automation using Azure DevOps

1 Reply

Resources