Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Temporary Workaround for AAD JWT Token Signing Algorithm Issue #4692

Merged
merged 1 commit into from
Apr 2, 2024
Merged

Temporary Workaround for AAD JWT Token Signing Algorithm Issue #4692

merged 1 commit into from
Apr 2, 2024

Conversation

gladjohn
Copy link
Contributor

@gladjohn gladjohn commented Apr 1, 2024

Fixes #4690

  • Because of a bug in Azure Active Directory (AAD) related to handling JWT tokens signed with certain algorithms. This bug prevents the successful utilization of SHA2 and PSS signing algorithms under specific conditions, leading to authentication failures.
  • As a temporary measure to circumvent this AAD issue, we have disabled the use of SHA2 and PSS for creating client credentials from certificates. This is achieved by setting IsSha2CredentialSupported to false. This change ensures compatibility with AAD's current capabilities and allows token acquisition to proceed without encountering the identified bug.

Changes proposed in this request

  • Modified the IsSha2CredentialSupported property to always return false, bypassing the SHA2 and PSS check for certificate-based client credentials

Testing

  • unit tests

Performance impact
none

Documentation

  • All relevant documentation is updated.

@gladjohn gladjohn marked this pull request as ready for review April 1, 2024 22:21
neha-bhargava
neha-bhargava approved these changes Apr 1, 2024
View reviewed changes
Copy link
Contributor

@neha-bhargava neha-bhargava left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approve with suggestion

@gladjohn gladjohn merged commit 463c985 into main Apr 2, 2024
8 checks passed
@gladjohn gladjohn deleted the gladjohn/msal4601 branch April 2, 2024 00:18
bgavrilMS
bgavrilMS reviewed Apr 2, 2024
View reviewed changes
src/client/Microsoft.Identity.Client/AppConfig/AuthorityInfo.cs
AuthorityType != AuthorityType.Dsts &&
AuthorityType != AuthorityType.Generic &&
AuthorityType != AuthorityType.Adfs;
internal bool IsSha2CredentialSupported => false;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recommend opening a GH issue to track re-enabling this. Not a bad idea to link the issue from the code.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#4695

@gladjohn gladjohn mentioned this pull request Apr 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bgavrilMS bgavrilMS bgavrilMS left review comments

@neha-bhargava neha-bhargava neha-bhargava approved these changes

@pmaytak pmaytak pmaytak approved these changes

@trwalke trwalke trwalke approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug] Using the SHA2 feature will cause the following errors
6 participants
@gladjohn @bgavrilMS @trwalke @pmaytak @neha-bhargava @GladwinJohnson