AzureAD · trwalke · Dec 14, 2022 · Jun 30, 2022 · Jun 30, 2022 · Jul 15, 2022
@@ -35,8 +35,9 @@ internal static class Constants
         public static readonly TimeSpan AccessTokenExpirationBuffer = TimeSpan.FromMinutes(5);
         public const string EnableSpaAuthCode = "1";
         public const string PoPTokenType = "pop";
-        public const string PoPAuthHeaderPrefix = "PoP";
+        public const string PoPAuthHeaderPrefix = "PoP"; 
         public const string RequestConfirmation = "req_cnf";
+        public const string BearerAuthHeaderPrefix = "Bearer";
 
         public static string FormatEnterpriseRegistrationOnPremiseUri(string domain)
         {

@@ -9,6 +9,7 @@
 using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.Identity.Client.Internal;
 using Microsoft.Identity.Client.PlatformsCommon.Factories;
 using Microsoft.Identity.Client.Utils;
 
@@ -21,6 +22,13 @@ namespace Microsoft.Identity.Client
     /// </summary>
     public class WwwAuthenticateParameters
     {
+        private static readonly ISet<string> s_knownAuthenticationSchemes = new HashSet<string>(
+                                                                              new[] {
+                                                                                       Constants.BearerAuthHeaderPrefix,
+                                                                                       Constants.PoPAuthHeaderPrefix
+                                                                              }, 
+                                                                              StringComparer.OrdinalIgnoreCase);
+
         /// <summary>
         /// Resource for which to request scopes.
         /// This is the App ID URI of the API that returned the WWW-Authenticate header.
@@ -50,6 +58,17 @@ public class WwwAuthenticateParameters
         /// </summary>
         public string Error { get; set; }
 
+        /// <summary>
+        /// AuthScheme.
+        /// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate#syntax for more details
+        /// </summary>
+        public string AuthScheme { get; set; } 
+
+        /// <summary>
+        /// Server Nonce.
+        /// </summary>
+        public string ServerNonce { get; set; }
+
         /// <summary>
         /// Return the <see cref="RawParameters"/> of key <paramref name="key"/>.
         /// </summary>
@@ -92,15 +111,41 @@ public static WwwAuthenticateParameters CreateFromResponseHeaders(
         {
             if (httpResponseHeaders.WwwAuthenticate.Any())
             {
-                // TODO: add POP support
-                AuthenticationHeaderValue bearer = httpResponseHeaders.WwwAuthenticate.First(v => string.Equals(v.Scheme, scheme, StringComparison.OrdinalIgnoreCase));
+                AuthenticationHeaderValue bearer = httpResponseHeaders.WwwAuthenticate.First(v => string.Equals(v.Scheme, Constants.BearerAuthHeaderPrefix, StringComparison.OrdinalIgnoreCase));
                 string wwwAuthenticateValue = bearer.Parameter;
-                return CreateFromWwwAuthenticateHeaderValue(wwwAuthenticateValue);
+                var parameters = CreateFromWwwAuthenticateHeaderValue(wwwAuthenticateValue);
+                parameters.AuthScheme = Constants.BearerAuthHeaderPrefix;
+                return parameters;
             }
 
             return CreateWwwAuthenticateParameters(new Dictionary<string, string>());
         }
 
+        /// <summary>
+        /// Create WWW-Authenticate parameters from the HttpResponseHeaders for each auth scheme.
+        /// </summary>
+        /// <param name="httpResponseHeaders">HttpResponseHeaders.</param>
+        /// <returns>The parameters requested by the web API.</returns>
+        /// <remarks>Currently it only supports the Bearer scheme</remarks>
+        public static IEnumerable<WwwAuthenticateParameters> CreateAllFromResponseHeaders(
+            HttpResponseHeaders httpResponseHeaders)
+        {
+            List<WwwAuthenticateParameters> parameterList = new List<WwwAuthenticateParameters>();
+
+            foreach (var wwwAuthenticateHeaderValue in httpResponseHeaders.WwwAuthenticate)
+            {
+                if (s_knownAuthenticationSchemes.Contains(wwwAuthenticateHeaderValue.Scheme))
+                {
+                    var parameters = CreateFromWwwAuthenticateHeaderValue(wwwAuthenticateHeaderValue.Parameter);
+                    parameters.AuthScheme = wwwAuthenticateHeaderValue.Scheme;
+
+                    parameterList.Add(parameters);
+                }
+            }
+
+            return parameterList;
+        }
+
         /// <summary>
         /// Creates parameters from the WWW-Authenticate string.
         /// </summary>
@@ -112,10 +157,22 @@ public static WwwAuthenticateParameters CreateFromWwwAuthenticateHeaderValue(str
             {
                 throw new ArgumentNullException(nameof(wwwAuthenticateValue));
             }
+            IDictionary<string, string> parameters;
+
+            var AuthValuesSplit = wwwAuthenticateValue.Split(new char[] { ' ' }, 2);
 
-            IDictionary<string, string> parameters = CoreHelpers.SplitWithQuotes(wwwAuthenticateValue, ',')
-                .Select(v => ExtractKeyValuePair(v.Trim()))
-                .ToDictionary(pair => pair.Key, pair => pair.Value, StringComparer.OrdinalIgnoreCase);
+            if (s_knownAuthenticationSchemes.Contains(AuthValuesSplit[0]))
+            {
+                parameters = CoreHelpers.SplitWithQuotes(AuthValuesSplit[1], ',')
+                    .Select(v => ExtractKeyValuePair(v.Trim()))
+                    .ToDictionary(pair => pair.Key, pair => pair.Value, StringComparer.OrdinalIgnoreCase);
+
+            } else
+            {
+                parameters = CoreHelpers.SplitWithQuotes(wwwAuthenticateValue, ',')
+                    .Select(v => ExtractKeyValuePair(v.Trim()))
+                    .ToDictionary(pair => pair.Key, pair => pair.Value, StringComparer.OrdinalIgnoreCase);
+            }
 
             return CreateWwwAuthenticateParameters(parameters);
         }
@@ -125,22 +182,49 @@ public static WwwAuthenticateParameters CreateFromWwwAuthenticateHeaderValue(str
         /// </summary>
         /// <param name="resourceUri">URI of the resource.</param>
         /// <returns>WWW-Authenticate Parameters extracted from response to the unauthenticated call.</returns>
+        [Obsolete]
         public static Task<WwwAuthenticateParameters> CreateFromResourceResponseAsync(string resourceUri)
         {
             return CreateFromResourceResponseAsync(resourceUri, default);
         }
 
+        /// <summary>
+        /// Create the authenticate parameters by attempting to call the resource unauthenticated, and analyzing the response.
+        /// </summary>
+        /// <param name="resourceUri">URI of the resource.</param>
+        /// <returns>WWW-Authenticate Parameters extracted from response to the unauthenticated call.</returns>
+        public static Task<IEnumerable<WwwAuthenticateParameters>> CreateAllFromResourceResponseAsync(string resourceUri)
+        {
+            return CreateAllFromResourceResponseAsync(resourceUri, default);
+        }
+
         /// <summary>
         /// Create the authenticate parameters by attempting to call the resource unauthenticated, and analyzing the response.
         /// </summary>
         /// <param name="resourceUri">URI of the resource.</param>
         /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
         /// <returns>WWW-Authenticate Parameters extracted from response to the unauthenticated call.</returns>
+        [Obsolete]
         public static Task<WwwAuthenticateParameters> CreateFromResourceResponseAsync(string resourceUri, CancellationToken cancellationToken = default)
+        {
+            return CreateFromResourceResponseAsync(GetHttpClient(), resourceUri, cancellationToken);
+        }
+
+        /// <summary>
+        /// Create the authenticate parameters by attempting to call the resource unauthenticated, and analyzing the response.
+        /// </summary>
+        /// <param name="resourceUri">URI of the resource.</param>
+        /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
+        /// <returns>WWW-Authenticate Parameters extracted from response to the unauthenticated call.</returns>
+        public static Task<IEnumerable<WwwAuthenticateParameters>> CreateAllFromResourceResponseAsync(string resourceUri, CancellationToken cancellationToken = default)
+        {
+            return CreateAllFromResourceResponseAsync(GetHttpClient(), resourceUri, cancellationToken);
+        }
+
+        private static HttpClient GetHttpClient()
         {
             var httpClientFactory = PlatformProxyFactory.CreatePlatformProxy(null).CreateDefaultHttpClientFactory();
-            var httpClient = httpClientFactory.GetHttpClient();
-            return CreateFromResourceResponseAsync(httpClient, resourceUri, cancellationToken);
+            return httpClientFactory.GetHttpClient();
         }
 
         /// <summary>
@@ -150,6 +234,7 @@ public static Task<WwwAuthenticateParameters> CreateFromResourceResponseAsync(st
         /// <param name="resourceUri">URI of the resource.</param>
         /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
         /// <returns>WWW-Authenticate Parameters extracted from response to the unauthenticated call.</returns>
+        [Obsolete]
         public static async Task<WwwAuthenticateParameters> CreateFromResourceResponseAsync(HttpClient httpClient, string resourceUri, CancellationToken cancellationToken = default)
         {
             if (httpClient is null)
@@ -167,6 +252,31 @@ public static async Task<WwwAuthenticateParameters> CreateFromResourceResponseAs
             return wwwAuthParam;
         }
 
+        /// <summary>
+        /// Create the authenticate parameters by attempting to call the resource unauthenticated, and analyzing the response.
+        /// </summary>
+        /// <param name="httpClient">Instance of <see cref="HttpClient"/> to make the request with.</param>
+        /// <param name="resourceUri">URI of the resource.</param>
+        /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
+        /// <param name="scheme">Authentication scheme. Default is Bearer.</param>
+        /// <returns>WWW-Authenticate Parameters extracted from response to the unauthenticated call.</returns>
+        public static async Task<IEnumerable<WwwAuthenticateParameters>> CreateAllFromResourceResponseAsync(HttpClient httpClient, string resourceUri, CancellationToken cancellationToken = default, string scheme = "Bearer")
+        {
+            if (httpClient is null)
+            {
+                throw new ArgumentNullException(nameof(httpClient));
+            }
+            if (string.IsNullOrWhiteSpace(resourceUri))
+            {
+                throw new ArgumentNullException(nameof(resourceUri));
+            }
+
+            // call this endpoint and see what the header says and return that
+            HttpResponseMessage httpResponseMessage = await httpClient.GetAsync(resourceUri, cancellationToken).ConfigureAwait(false);
+            var wwwAuthParams = CreateAllFromResponseHeaders(httpResponseMessage.Headers);
+            return wwwAuthParams;
+        }
+
         /// <summary>
         /// Gets the claim challenge from HTTP header.
         /// Used, for example, for CA auth context.
@@ -231,6 +341,11 @@ internal static WwwAuthenticateParameters CreateWwwAuthenticateParameters(IDicti
                 wwwAuthenticateParameters.Error = value;
             }
 
+            if (values.TryGetValue("nonce", out value))
+            {
+                wwwAuthenticateParameters.ServerNonce = value.Replace("\"", string.Empty);
+            }
+
             return wwwAuthenticateParameters;
         }
 

@@ -8,6 +8,7 @@
 using System.Net.Http;
 using System.Threading.Tasks;
 using Microsoft.Identity.Client;
+using Microsoft.Identity.Client.Internal;
 using Microsoft.Identity.Test.Common.Core.Mocks;
 using Microsoft.VisualStudio.TestTools.UnitTesting;
 
@@ -156,6 +157,10 @@ public async Task CreateFromResourceResponseAsync_HttpClient_Arm_GetTenantId_Asy
             var authParams = await WwwAuthenticateParameters.CreateFromResourceResponseAsync(httpClient, resourceUri).ConfigureAwait(false);
 
             Assert.AreEqual(authParams.GetTenantId(), tenantId);
+
+            var authParamList = await WwwAuthenticateParameters.CreateAllFromResourceResponseAsync(httpClient, resourceUri).ConfigureAwait(false);
+
+            Assert.AreEqual(authParamList.FirstOrDefault().GetTenantId(), tenantId);
         }
 
         [TestMethod]
@@ -174,6 +179,10 @@ public async Task CreateFromResourceResponseAsync_HttpClient_B2C_GetTenantId_Asy
             var authParams = await WwwAuthenticateParameters.CreateFromResourceResponseAsync(httpClient, resourceUri).ConfigureAwait(false);
 
             Assert.AreEqual(authParams.GetTenantId(), tenantId);
+
+            var authParamList = await WwwAuthenticateParameters.CreateAllFromResourceResponseAsync(httpClient, resourceUri).ConfigureAwait(false);
+
+            Assert.AreEqual(authParamList.FirstOrDefault().GetTenantId(), tenantId);
         }
 
         [TestMethod]
@@ -194,6 +203,10 @@ public async Task CreateFromResourceResponseAsync_HttpClient_ADFS_GetTenantId_Nu
             var authParams = await WwwAuthenticateParameters.CreateFromResourceResponseAsync(httpClient, resourceUri).ConfigureAwait(false);
 
             Assert.IsNull(authParams.GetTenantId());
+
+            var authParamList = await WwwAuthenticateParameters.CreateAllFromResourceResponseAsync(httpClient, resourceUri).ConfigureAwait(false);
+
+            Assert.IsNull(authParamList.FirstOrDefault().GetTenantId());
         }
 
         [DataRow(null)]
@@ -205,13 +218,20 @@ public async Task CreateFromResourceResponseAsync_HttpClient_Null_Async(HttpClie
             Func<Task> action = () => WwwAuthenticateParameters.CreateFromResourceResponseAsync(httpClient, resourceUri);
 
             await Assert.ThrowsExceptionAsync<ArgumentNullException>(action).ConfigureAwait(false);
+
+            Func<Task> action2 = () => WwwAuthenticateParameters.CreateAllFromResourceResponseAsync(httpClient, resourceUri);
+
+            await Assert.ThrowsExceptionAsync<ArgumentNullException>(action2).ConfigureAwait(false);
         }
 
         [TestMethod]
         [DataRow(null)]
         [DataRow("")]
         public async Task CreateFromResourceResponseAsync_Incorrect_ResourceUri_Async(string resourceUri)
         {
+
+            await WwwAuthenticateParameters.CreateFromResourceResponseAsync("https://manage.office.com/api/v1.0/fbb86d84-7975-4300-a5cb-87b448d6f13d/activity/feed/subscriptions/content?contentType={ContentType}&amp;startTime={0}&amp;endTime={1}").ConfigureAwait(false);
+
             Func<Task> action = () => WwwAuthenticateParameters.CreateFromResourceResponseAsync(resourceUri);
 
             await Assert.ThrowsExceptionAsync<ArgumentNullException>(action).ConfigureAwait(false);
@@ -253,6 +273,76 @@ public void ExtractClaimChallengeFromHeader_IncorrectError_ReturnNull()
             Assert.IsNull(WwwAuthenticateParameters.GetClaimChallengeFromResponseHeaders(httpResponse.Headers));
         }
 
+        [TestMethod]
+        public async Task ExtractNonceFromHeaderAsync()
+        {
+            //Arrange & Act
+            var parameterList = await WwwAuthenticateParameters.CreateAllFromResourceResponseAsync(
+                                                         "https://testingsts.azurewebsites.net/servernonce/invalidsignature",
+                                                         //"https://manage.office.com/api/v1.0/fbb86d84-7975-4300-a5cb-87b448d6f13d/activity/feed/subscriptions/content?contentType={ContentType}&amp;startTime={0}&amp;endTime={1}",
+                                                         //"https://management.core.windows.net/<subscription-id>/services/hostedservices/<cloudservice-name>",
+                                                         //"https://management.azure.com/subscriptions/c1686c51-b717-4fe0-9af3-24a20a41fb0c/resourceGroups/iddp/providers/Microsoft.KeyVault/vaults/iddp?api-version=2021-10-01",
+                                                         //"https://mkttest0127tipsg908org3.crm10.dynamics.com/api/data/v9.1/",
+                                                         default).ConfigureAwait(false);
+
+            //Assert
+            Assert.IsTrue(parameterList.FirstOrDefault().AuthScheme == Constants.PoPAuthHeaderPrefix);
+            Assert.IsNotNull(parameterList.FirstOrDefault().ServerNonce);
+        }
+
+        [TestMethod]
+        public async Task CreateAllFromResourceResponseAsync_HttpClient_Bearer_Pop_Async()
+        {
+            const string resourceUri = "https://example.com/";
+            string tenantId = Guid.NewGuid().ToString();
+
+            var handler = new MockHttpMessageHandler
+            {
+                ExpectedMethod = HttpMethod.Get,
+                ExpectedUrl = resourceUri,
+                ResponseMessage = CreateBearerAndPopHttpResponse()
+            };
+            var httpClient = new HttpClient(handler);
+            var headers = await WwwAuthenticateParameters.CreateAllFromResourceResponseAsync(httpClient, resourceUri).ConfigureAwait(false);
+
+            var bearerHeader = headers.Where(header => header.AuthScheme == "Bearer").FirstOrDefault();
+            var popHeader = headers.Where(header => header.AuthScheme == "PoP").FirstOrDefault();
+
+            Assert.IsNotNull(bearerHeader);
+            Assert.AreEqual("https://login.microsoftonline.com/TenantId", bearerHeader.Authority);
+            Assert.IsNotNull(popHeader);
+            Assert.AreEqual("someNonce", popHeader.ServerNonce);
+        }
+
+        [TestMethod]
+        public void ExtractAllParametersFromResponse()
+        {
+            // Arrange
+            HttpResponseMessage httpResponse = CreateBearerAndPopHttpResponse();
+
+            // Act & Assert
+            var headers = WwwAuthenticateParameters.CreateAllFromResponseHeaders(httpResponse.Headers);
+            var bearerHeader = headers.Where(header => header.AuthScheme == "Bearer").FirstOrDefault();
+            var popHeader = headers.Where(header => header.AuthScheme == "PoP").FirstOrDefault();
+
+            Assert.IsNotNull(bearerHeader);
+            Assert.AreEqual("https://login.microsoftonline.com/TenantId", bearerHeader.Authority);
+            Assert.IsNotNull(popHeader);
+            Assert.AreEqual("someNonce", popHeader.ServerNonce);
+        }
+
+        [TestMethod]
+        //Test for fix https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/3026
+        public void ExtractParametersFromResponseWithScheme()
+        {
+            //arrange
+            var header = WwwAuthenticateParameters.CreateFromWwwAuthenticateHeaderValue("Bearer authorization_uri=https://login.microsoftonline.com/TenantId/oauth2/authorize, resource_id=https://endpoint/");
+
+            // Act & Assert
+            Assert.IsNotNull(header);
+            Assert.AreEqual("https://login.microsoftonline.com/TenantId", header.Authority);
+        }
+
         private static HttpResponseMessage CreateClaimsHttpResponse(string claims)
         {
             HttpResponseMessage httpResponse = new HttpResponseMessage(HttpStatusCode.Unauthorized);
@@ -292,5 +382,17 @@ private static HttpResponseMessage CreateInvalidTokenHttpErrorResponse(string te
                 }
             };
         }
+
+        private static HttpResponseMessage CreateBearerAndPopHttpResponse()
+        {
+            return new HttpResponseMessage(HttpStatusCode.Unauthorized)
+            {
+                Headers =
+                {
+                    { WwwAuthenticateHeaderName, $"Bearer authorization_uri=\"https://login.microsoftonline.com/TenantId/oauth2/authorize\", resource_id=\"https://endpoint/\"" },
+                    { WwwAuthenticateHeaderName, $"PoP nonce=\"someNonce\""}
+                }
+            };
+        }
     }
 }