Hi,
I have a client where I need to authenticate towards their Microsoft Graph. They want me to use certificate-based authentication rather than client secrets.
Does Appfarm support this, and if so — how is it configured?
If not, are there any workarounds? Appfarm AI suggested “Run Code” as the only alternative when using web requests.
// Sigurd
Hi!
The short answer is that Appfarm does not have native support for certificate-based authentication. There is no built-in setting in the Web Request action node or the Secrets store for uploading a certificate and having Appfarm sign requests automatically.
That said, it is absolutely achievable, and Run Code is not necessarily required.
Microsoft’s certificate-based client credentials flow replaces the client_secret with a signed JWT called a client_assertion. The token request to the Microsoft identity platform uses this JWT, signed with the certificate’s private key, in place of a regular secret.
The key challenge is that Appfarm cannot hold or use a private key to sign JWTs. This means the signed JWT assertion must be generated outside of Appfarm. Once generated, the flow inside Appfarm looks like this:
Generate the signed JWT client assertion externally, using a script, Azure Function, or similar tool that has access to the private key.
Store the resulting JWT as an environment-specific Secret in Appfarm.
Use a scheduled Service with a Web Request action node to exchange the JWT for a bearer access token from Microsoft, and store the result using the Update Secret action node.
Use that bearer access token Secret in your Microsoft Graph Web Request calls.
This is the same pattern as the Appfarm documentation for retrieving a bearer token from Google Cloud, just with a different token endpoint and assertion format.
Regarding Run Code: it is not required if the signed JWT is managed externally. However, if you want the JWT signing to happen dynamically inside Appfarm itself, that specific step would require Run Code with a library like jsonwebtoken, similar to the Google Cloud bearer token pattern. The token exchange and secret storage steps work cleanly with standard action nodes regardless. The main practical limitation is that you need an external process to periodically regenerate the signed JWT, since it has a short lifespan.
//
Jan Einar
Thank you:) Ill check it out.