Skip to content

Subject Name and Issuer Authentication #71

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
abhidnya13 merged 7 commits into from
Jul 3, 2019
+65 −2
Merged

Subject Name and Issuer Authentication #71

Changes from 4 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
8721c43
Initial commit for adding SNI auth
abhidnya13 Jun 18, 2019
2aefc6d
Sending list of strings as x5c and refactoring
abhidnya13 Jun 27, 2019
c60c751
More refactoring
abhidnya13 Jun 28, 2019
c8f199c
Adding regex to parse public certificates and reference documentation…
abhidnya13 Jun 28, 2019
7b342c1
Adding tests, refactoring, support for input file without begin and e…
abhidnya13 Jul 1, 2019
a68bea7
Addressing PR comments
abhidnya13 Jul 2, 2019
7e392c7
Addressing PR comments
abhidnya13 Jul 2, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 11 additions & 2 deletions msal/application.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ def __init__(
verify=True, proxies=None, timeout=None):
"""Create an instance of application.

:param client_id: Your app has a clinet_id after you register it on AAD.
:param client_id: Your app has a client_id after you register it on AAD.
:param client_credential:
For :class:`PublicClientApplication`, you simply use `None` here.
For :class:`ConfidentialClientApplication`,
Expand All @@ -69,8 +69,11 @@ def __init__(
{
"private_key": "...-----BEGIN PRIVATE KEY-----...",
"thumbprint": "A1B2C3D4E5F6...",
"public_certificate": "...-----BEGIN CERTIFICATE-----..." (Only to be sent when using Subject Name Issuer Authentication)
Comment thread
rayluo marked this conversation as resolved.
Outdated
}

public_certificate (optional) can be a public key certificate or certificate chain which is sent through
Comment thread
rayluo marked this conversation as resolved.
Outdated
'x5c' JWT header only for subject name and issuer based authentication to support cert auto rolls
:param str authority:
A URL that identifies a token authority. It should be of the format
https://login.microsoftonline.com/your_tenant
Expand Down Expand Up @@ -110,12 +113,18 @@ def _build_client(self, client_credential, authority):
client_assertion = None
client_assertion_type = None
default_body = {"client_info": 1}
headers = {}
Comment thread
rayluo marked this conversation as resolved.
Outdated
if isinstance(client_credential, dict):
assert ("private_key" in client_credential
and "thumbprint" in client_credential)
if 'public_certificate' in client_credential:
public_certificates = re.findall(
Comment thread
rayluo marked this conversation as resolved.
Outdated
r'\-+BEGIN CERTIFICATE.+\-+(?P<cert_value>[^-]+)\-+END CERTIFICATE.+\-+',
client_credential['public_certificate'], re.I) # We send x5c as list of strings
headers["x5c"] = [cert.strip() for cert in public_certificates]
signer = JwtSigner(
client_credential["private_key"], algorithm="RS256",
sha1_thumbprint=client_credential.get("thumbprint"))
sha1_thumbprint=client_credential.get("thumbprint"), headers=headers)
client_assertion = signer.sign_assertion(
audience=authority.token_endpoint, issuer=self.client_id)
client_assertion_type = Client.CLIENT_ASSERTION_TYPE_JWT
Expand Down