AzureAD · trwalke · Dec 14, 2022 · Jun 30, 2022 · Jun 30, 2022 · Jul 15, 2022
@@ -35,8 +35,9 @@ internal static class Constants
         public static readonly TimeSpan AccessTokenExpirationBuffer = TimeSpan.FromMinutes(5);
         public const string EnableSpaAuthCode = "1";
         public const string PoPTokenType = "pop";
-        public const string PoPAuthHeaderPrefix = "PoP";
+        public const string PoPAuthHeaderPrefix = "PoP"; 
         public const string RequestConfirmation = "req_cnf";
+        public const string BearerAuthHeaderPrefix = "Bearer";
 
         public static string FormatEnterpriseRegistrationOnPremiseUri(string domain)
         {

@@ -9,6 +9,7 @@
 using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.Identity.Client.Internal;
 using Microsoft.Identity.Client.PlatformsCommon.Factories;
 using Microsoft.Identity.Client.Utils;
 
@@ -21,6 +22,14 @@ namespace Microsoft.Identity.Client
     /// </summary>
     public class WwwAuthenticateParameters
     {
+        private static readonly ISet<string> s_knownAuthenticationSchemes = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+
+        static WwwAuthenticateParameters()
+        {
+            s_knownAuthenticationSchemes.Add(Constants.BearerAuthHeaderPrefix);
+            s_knownAuthenticationSchemes.Add(Constants.PoPAuthHeaderPrefix);
+        }
+
         /// <summary>
         /// Resource for which to request scopes.
         /// This is the App ID URI of the API that returned the WWW-Authenticate header.
@@ -50,6 +59,16 @@ public class WwwAuthenticateParameters
         /// </summary>
         public string Error { get; set; }
 
+        /// <summary>
+        /// Scheme.
+        /// </summary>
+        public string Scheme { get; set; } 
+
+        /// <summary>
+        /// Server Nonce.
+        /// </summary>
+        public string ServerNonce { get; set; }
+
         /// <summary>
         /// Return the <see cref="RawParameters"/> of key <paramref name="key"/>.
         /// </summary>
@@ -89,16 +108,47 @@ public string GetTenantId() => Instance.Authority
         public static WwwAuthenticateParameters CreateFromResponseHeaders(
             HttpResponseHeaders httpResponseHeaders,
             string scheme = "Bearer")
+        {
+            if (scheme == Constants.BearerAuthHeaderPrefix)
+            {
+                return ParseBearerParameters(httpResponseHeaders);
+            }
+
+            if (scheme == Constants.PoPAuthHeaderPrefix)
+            {
+                return ParsePopParameters(httpResponseHeaders);
+            }
+
+            return CreateWwwAuthenticateParameters(new Dictionary<string, string>());
+        }
+
+        private static WwwAuthenticateParameters ParseBearerParameters(HttpResponseHeaders httpResponseHeaders)
         {
             if (httpResponseHeaders.WwwAuthenticate.Any())
             {
-                // TODO: add POP support
-                AuthenticationHeaderValue bearer = httpResponseHeaders.WwwAuthenticate.First(v => string.Equals(v.Scheme, scheme, StringComparison.OrdinalIgnoreCase));
+                AuthenticationHeaderValue bearer = httpResponseHeaders.WwwAuthenticate.First(v => string.Equals(v.Scheme, Constants.BearerAuthHeaderPrefix, StringComparison.OrdinalIgnoreCase));
                 string wwwAuthenticateValue = bearer.Parameter;
-                return CreateFromWwwAuthenticateHeaderValue(wwwAuthenticateValue);
+                var parameters = CreateFromWwwAuthenticateHeaderValue(wwwAuthenticateValue);
+                parameters.Scheme = Constants.BearerAuthHeaderPrefix;
+                return parameters;
             }
 
-            return CreateWwwAuthenticateParameters(new Dictionary<string, string>());
+            return null;
+        }
+
+        private static WwwAuthenticateParameters ParsePopParameters(HttpResponseHeaders httpResponseHeaders)
+        {
+            if (httpResponseHeaders.WwwAuthenticate != null)
+            {
+                string wwwAuthenticateValue = httpResponseHeaders.WwwAuthenticate.ToString();
+                var parameters = CreateFromWwwAuthenticateHeaderValue(wwwAuthenticateValue);
+
+                parameters.Scheme = Constants.PoPAuthHeaderPrefix;
+
+                return parameters;
+            }
+
+            return null;
         }
 
         /// <summary>
@@ -130,17 +180,41 @@ public static Task<WwwAuthenticateParameters> CreateFromResourceResponseAsync(st
             return CreateFromResourceResponseAsync(resourceUri, default);
         }
 
+        /// <summary>
+        /// Create a list of the known authenticate parameters by attempting to call the resource unauthenticated, and analyzing the response.
+        /// </summary>
+        /// <param name="resourceUri">URI of the resource.</param>
+        /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
+        /// <returns>a list of WWW-Authenticate Parameters extracted from a response to the unauthenticated call.</returns>
+        public static async Task<IEnumerable<WwwAuthenticateParameters>> CreateKnownParametersFromResourceResponseAsync(string resourceUri, CancellationToken cancellationToken = default)
+        {
+            List<WwwAuthenticateParameters> parameterList = new List<WwwAuthenticateParameters>();
+
+            foreach (string scheme in s_knownAuthenticationSchemes)
+            {
+                var parameter = await CreateFromResourceResponseAsync(resourceUri, cancellationToken, scheme).ConfigureAwait(false);
+
+                if (parameter != null && string.IsNullOrEmpty(parameter.Scheme))
+                {
+                    parameterList.Add(parameter);
+                }
+            }
+
+            return parameterList;
+        }
+
         /// <summary>
         /// Create the authenticate parameters by attempting to call the resource unauthenticated, and analyzing the response.
         /// </summary>
         /// <param name="resourceUri">URI of the resource.</param>
         /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
+        /// <param name="scheme">Authentication scheme. Default is Bearer.</param>
         /// <returns>WWW-Authenticate Parameters extracted from response to the unauthenticated call.</returns>
-        public static Task<WwwAuthenticateParameters> CreateFromResourceResponseAsync(string resourceUri, CancellationToken cancellationToken = default)
+        public static Task<WwwAuthenticateParameters> CreateFromResourceResponseAsync(string resourceUri, CancellationToken cancellationToken = default, string scheme = "Bearer")
         {
             var httpClientFactory = PlatformProxyFactory.CreatePlatformProxy(null).CreateDefaultHttpClientFactory();
             var httpClient = httpClientFactory.GetHttpClient();
-            return CreateFromResourceResponseAsync(httpClient, resourceUri, cancellationToken);
+            return CreateFromResourceResponseAsync(httpClient, resourceUri, cancellationToken, scheme);
         }
 
         /// <summary>
@@ -149,8 +223,9 @@ public static Task<WwwAuthenticateParameters> CreateFromResourceResponseAsync(st
         /// <param name="httpClient">Instance of <see cref="HttpClient"/> to make the request with.</param>
         /// <param name="resourceUri">URI of the resource.</param>
         /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
+        /// <param name="scheme">Authentication scheme. Default is Bearer.</param>
         /// <returns>WWW-Authenticate Parameters extracted from response to the unauthenticated call.</returns>
-        public static async Task<WwwAuthenticateParameters> CreateFromResourceResponseAsync(HttpClient httpClient, string resourceUri, CancellationToken cancellationToken = default)
+        public static async Task<WwwAuthenticateParameters> CreateFromResourceResponseAsync(HttpClient httpClient, string resourceUri, CancellationToken cancellationToken = default, string scheme = "Bearer")
         {
             if (httpClient is null)
             {
@@ -163,7 +238,7 @@ public static async Task<WwwAuthenticateParameters> CreateFromResourceResponseAs
 
             // call this endpoint and see what the header says and return that
             HttpResponseMessage httpResponseMessage = await httpClient.GetAsync(resourceUri, cancellationToken).ConfigureAwait(false);
-            var wwwAuthParam = CreateFromResponseHeaders(httpResponseMessage.Headers);
+            var wwwAuthParam = CreateFromResponseHeaders(httpResponseMessage.Headers, scheme);
             return wwwAuthParam;
         }
 
@@ -231,6 +306,11 @@ internal static WwwAuthenticateParameters CreateWwwAuthenticateParameters(IDicti
                 wwwAuthenticateParameters.Error = value;
             }
 
+            if (values.TryGetValue("WWWAuthenticate: PoP nonce", out value))
+            {
+                wwwAuthenticateParameters.ServerNonce = value.Replace("\"", string.Empty);
+            }
+
             return wwwAuthenticateParameters;
         }
 

@@ -8,6 +8,7 @@
 using System.Net.Http;
 using System.Threading.Tasks;
 using Microsoft.Identity.Client;
+using Microsoft.Identity.Client.Internal;
 using Microsoft.Identity.Test.Common.Core.Mocks;
 using Microsoft.VisualStudio.TestTools.UnitTesting;
 
@@ -253,6 +254,30 @@ public void ExtractClaimChallengeFromHeader_IncorrectError_ReturnNull()
             Assert.IsNull(WwwAuthenticateParameters.GetClaimChallengeFromResponseHeaders(httpResponse.Headers));
         }
 
+        [TestMethod]
+        public async Task ExtractNonceFromHeaderAsync()
+        {
+            //Arrange & Act
+            WwwAuthenticateParameters parameters = await WwwAuthenticateParameters.CreateFromResourceResponseAsync(
+                                                         "https://testingsts.azurewebsites.net/servernonce/expired",
+                                                         default,
+                                                         Constants.PoPAuthHeaderPrefix).ConfigureAwait(false);
+
+            //Assert
+            Assert.IsTrue(parameters.Scheme == Constants.PoPAuthHeaderPrefix);
+            Assert.IsNotNull(parameters.ServerNonce);
+        }
+
+        //[TestMethod]
+        //public void ExtractAllParametersFromResponse()
+        //{
+        //    // Arrange
+        //    HttpResponseMessage httpResponse = CreateBearerAndPopHttpResponse();
+
+        //    // Act & Assert
+        //    Assert.IsNull(WwwAuthenticateParameters.GetClaimChallengeFromResponseHeaders(httpResponse.Headers));
+        //}
+
         private static HttpResponseMessage CreateClaimsHttpResponse(string claims)
         {
             HttpResponseMessage httpResponse = new HttpResponseMessage(HttpStatusCode.Unauthorized);
@@ -292,5 +317,17 @@ private static HttpResponseMessage CreateInvalidTokenHttpErrorResponse(string te
                 }
             };
         }
+
+        //private static HttpResponseMessage CreateBearerAndPopHttpResponse()
+        //{
+        //    return new HttpResponseMessage(HttpStatusCode.Unauthorized)
+        //    {
+        //        Headers =
+        //        {
+        //            { WwwAuthenticateHeaderName, $"Bearer realm=\"\", client_id=\"00000003-0000-0000-c000-000000000000\", authorization_uri=\"https://login.microsoftonline.com/common/oauth2/authorize\", error=\"some_error\", claims=\"{DecodedClaimsHeader}\"" },
+        //            { WwwAuthenticateHeaderName, $"WWWAuthenticate: PoP nonce=\"\", someNonce"}
+        //        }
+        //    };
+        //}
     }
 }