Adding Extensibility for Custom Signed Assertion Providers

Directory.Build.props

@@ -96,7 +96,7 @@
     <MicrosoftGraphVersion>4.36.0</MicrosoftGraphVersion>
     <MicrosoftGraphBetaVersion>4.57.0-preview</MicrosoftGraphBetaVersion>
     <MicrosoftExtensionsHttpVersion>3.1.3</MicrosoftExtensionsHttpVersion>
-    <MicrosoftIdentityAbstractionsVersion>8.0.0</MicrosoftIdentityAbstractionsVersion>
+    <MicrosoftIdentityAbstractionsVersion>8.1.0</MicrosoftIdentityAbstractionsVersion>
     <!--CVE-2024-43485-->
     <SystemTextJsonVersion>8.0.5</SystemTextJsonVersion>
     <!--CVE-2023-29331-->

src/Microsoft.Identity.Web.Certificate/DefaultCredentialsLoader.Logger.cs

@@ -25,6 +25,20 @@ private static class Logger
 
             public static void CredentialLoadingFailure(ILogger logger, CredentialDescription cd, Exception? ex)
                 => s_credentialLoadingFailure(logger, cd.Id, cd.SourceType.ToString(), cd.Skip, ex);
+
+            private static readonly Action<ILogger, string, string, bool, Exception?> s_customSignedAssertionProviderLoadingFailure =
+                LoggerMessage.Define<string, string, bool>(
+                    LogLevel.Information,
+                    new EventId(
+                        7,
+                        nameof(CustomSignedAssertionProviderLoadingFailure)),
+            "Failed to find custom signed assertion provider {name} from source {sourceType}. Will it be skipped in the future ? {skip}.");
+
+            public static void CustomSignedAssertionProviderLoadingFailure(
+                ILogger logger,
+                CredentialDescription cd,
+                CustomSignedAssertionProviderNotFoundException ex
+                ) => s_customSignedAssertionProviderLoadingFailure(logger, cd.CustomSignedAssertionProviderName ?? "NameMissing", cd.SourceType.ToString(), cd.Skip, ex);
         }
     }
 }

src/Microsoft.Identity.Web.Certificate/DefaultCredentialsLoader.cs

@@ -72,7 +72,11 @@ public async Task LoadCredentialsIfNeededAsync(CredentialDescription credentialD
                 {
                     if (credentialDescription.CachedValue == null)
                     {
-                        if (CredentialSourceLoaders.TryGetValue(credentialDescription.SourceType, out ICredentialSourceLoader? loader))
+                        if (credentialDescription.SourceType == CredentialSource.CustomSignedAssertion)
+                        {
+                            await ProcessCustomSignedAssertionAsync(credentialDescription, parameters);
+                        }
+                        else if (CredentialSourceLoaders.TryGetValue(credentialDescription.SourceType, out ICredentialSourceLoader? loader))
                         {
                             try
                             {

src/Microsoft.Identity.Web.Certificate/DefaultCredentialsLoaderCustomSignedAssertion.cs

@@ -0,0 +1,111 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using Microsoft.Identity.Abstractions;
+
+namespace Microsoft.Identity.Web
+{
+    public partial class DefaultCredentialsLoader : ICredentialsLoader
+    {
+        /// <summary>
+        /// Constructor for DefaultCredentialsLoader when using custom signed assertion provider source loaders.
+        /// </summary>
+        /// <param name="logger"></param>
+        /// <param name="customSignedAssertionProviders">Set of custom signed assertion providers.</param>
+        public DefaultCredentialsLoader(ILogger<DefaultCredentialsLoader>? logger, IEnumerable<ICustomSignedAssertionProvider> customSignedAssertionProviders) : this(logger)
+        {
+            var sourceLoaderDict = new Dictionary<string, ICredentialSourceLoader>();
+
+            foreach (var provider in customSignedAssertionProviders)
+            {
+                sourceLoaderDict.Add(provider.Name ?? provider.GetType().FullName!, provider);
+            }
+
+            CustomSignedAssertionCredentialSourceLoaders = sourceLoaderDict;
+        }
+
+        /// <summary>
+        /// Dictionary of custom signed assertion credential source loaders, by name (fully qualified type name).
+        /// </summary>
+        public IDictionary<string, ICredentialSourceLoader>? CustomSignedAssertionCredentialSourceLoaders { get; }
+
+
+        private async Task ProcessCustomSignedAssertionAsync(CredentialDescription credentialDescription, CredentialSourceLoaderParameters? parameters)
+        {
+            CustomSignedAssertionProviderNotFoundException providerNotFoundException;
+
+            // No source loader(s)
+            if (CustomSignedAssertionCredentialSourceLoaders == null || !CustomSignedAssertionCredentialSourceLoaders.Any())
+            {
+                providerNotFoundException = CustomSignedAssertionProviderNotFoundException.SourceLoadersNullOrEmpty();
+            }
+
+            // No provider name
+            else if (string.IsNullOrEmpty(credentialDescription.CustomSignedAssertionProviderName))
+            {
+                providerNotFoundException = CustomSignedAssertionProviderNotFoundException.ProviderNameNullOrEmpty();
+            }
+
+            // No source loader for provider name
+            else if (!CustomSignedAssertionCredentialSourceLoaders!.TryGetValue(credentialDescription.CustomSignedAssertionProviderName!, out ICredentialSourceLoader? sourceLoader))
+            {
+                providerNotFoundException = CustomSignedAssertionProviderNotFoundException.ProviderNameNotFound(credentialDescription.CustomSignedAssertionProviderName!);
+            }
+
+            // Load the credentials
+            else
+            {
+                await sourceLoader.LoadIfNeededAsync(credentialDescription, parameters);
+                return;
+            }
+
+            Logger.CustomSignedAssertionProviderLoadingFailure(_logger, credentialDescription, providerNotFoundException);
+            throw providerNotFoundException;
+        }
+    }
+
+    internal class CustomSignedAssertionProviderNotFoundException : Exception
+    {
+        private const string NameNullOrEmpty = "The name of the custom signed assertion provider is null or empty.";
+        private const string SourceLoaderNullOrEmpty = "The dictionary of SourceLoaders for custom signed assertion providers is null or empty.";
+        private const string ProviderNotFound = "The custom signed assertion provider with name '{0}' was not found.";
+
+        public CustomSignedAssertionProviderNotFoundException(string message) : base(message)
+        {
+        }
+
+        /// <summary>
+        /// Use when the SourceLoader library has entries, but the given name is not found.
+        /// </summary>
+        /// <param name="name">Name of custom signed assertion provider</param>
+        /// <returns>An instance of this exception with a relevant message</returns>
+        public static CustomSignedAssertionProviderNotFoundException ProviderNameNotFound(string name)
+        {
+            return new CustomSignedAssertionProviderNotFoundException(message: string.Format(CultureInfo.InvariantCulture, ProviderNotFound, name));
+        }
+
+        /// <summary>
+        /// Use when the name of the custom signed assertion provider is null or empty.
+        /// </summary>
+        /// <returns>An instance of this exception with a relevant message</returns>
+        public static CustomSignedAssertionProviderNotFoundException ProviderNameNullOrEmpty()
+        {
+            return new CustomSignedAssertionProviderNotFoundException(NameNullOrEmpty);
+        }
+
+        /// <summary>
+        /// Use when the SourceLoader library is null or empty.
+        /// </summary>
+        /// <returns>An instance of this exception with a relevant message</returns>
+        public static CustomSignedAssertionProviderNotFoundException SourceLoadersNullOrEmpty()
+        {
+            return new CustomSignedAssertionProviderNotFoundException(SourceLoaderNullOrEmpty);
+        }
+    }
+}

src/Microsoft.Identity.Web.Certificate/InternalAPI.Unshipped.txt

@@ -0,0 +1,5 @@
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomSignedAssertionProviderNotFoundException(string! message) -> void
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNotFound(string! name) -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.SourceLoadersNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!

src/Microsoft.Identity.Web.Certificate/PublicAPI.Unshipped.txt

@@ -1 +1,3 @@
 #nullable enable
+Microsoft.Identity.Web.DefaultCredentialsLoader.CustomSignedAssertionCredentialSourceLoaders.get -> System.Collections.Generic.IDictionary<string!, Microsoft.Identity.Abstractions.ICredentialSourceLoader!>?
+Microsoft.Identity.Web.DefaultCredentialsLoader.DefaultCredentialsLoader(Microsoft.Extensions.Logging.ILogger<Microsoft.Identity.Web.DefaultCredentialsLoader!>? logger, System.Collections.Generic.IEnumerable<Microsoft.Identity.Abstractions.ICustomSignedAssertionProvider!>! customSignedAssertionProviders) -> void

src/Microsoft.Identity.Web/PublicAPI/net6.0/InternalAPI.Unshipped.txt

@@ -0,0 +1,5 @@
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomSignedAssertionProviderNotFoundException(string! message) -> void
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNotFound(string! name) -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomProviderSourceLoaderNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!

src/Microsoft.Identity.Web/PublicAPI/net7.0/InternalAPI.Unshipped.txt

@@ -0,0 +1,5 @@
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomSignedAssertionProviderNotFoundException(string! message) -> void
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNotFound(string! name) -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomProviderSourceLoaderNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!

src/Microsoft.Identity.Web/PublicAPI/net8.0/InternalAPI.Unshipped.txt

@@ -0,0 +1,5 @@
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomSignedAssertionProviderNotFoundException(string! message) -> void
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNotFound(string! name) -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomProviderSourceLoaderNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!

src/Microsoft.Identity.Web/PublicAPI/net9.0/InternalAPI.Unshipped.txt

@@ -0,0 +1,5 @@
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomSignedAssertionProviderNotFoundException(string! message) -> void
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNotFound(string! name) -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomProviderSourceLoaderNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!

tests/Microsoft.Identity.Web.Test/CustomSignedAssertionProviderTests.cs

@@ -0,0 +1,100 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Identity.Abstractions;
+using Xunit;
+
+namespace Microsoft.Identity.Web.Test
+{
+    public class CustomSignedAssertionProviderTests
+    {
+
+        [Theory]
+        [MemberData(nameof(CustomSignedAssertionTestData))]
+        public async Task ProcessCustomSignedAssertionAsync_Tests(DefaultCredentialsLoader loader, CredentialDescription credentialDescription, Exception? expectedException = null)
+        {
+            try
+            {
+                await loader.LoadCredentialsIfNeededAsync(credentialDescription, null);
+            }
+            catch (Exception ex)
+            {
+                Assert.Equal(expectedException?.Message, ex.Message);
+                return;
+            }
+
+            Assert.Null(expectedException);
+        }
+
+        public static IEnumerable<object[]> CustomSignedAssertionTestData()
+        {
+            // No source loaders
+            yield return new object[]
+            {
+                new DefaultCredentialsLoader(NullLogger<DefaultCredentialsLoader>.Instance, new List<ICustomSignedAssertionProvider>()),
+                new CredentialDescription {
+                    CustomSignedAssertionProviderName = "Provider1",
+                    SourceType = CredentialSource.CustomSignedAssertion
+                },
+                CustomSignedAssertionProviderNotFoundException.SourceLoadersNullOrEmpty()
+            };
+
+            // No provider name
+            yield return new object[]
+            {
+                new DefaultCredentialsLoader(NullLogger<DefaultCredentialsLoader>.Instance, new List<ICustomSignedAssertionProvider> { new CustomSignedAssertionProvider("Provider1") }),
+                new CredentialDescription
+                {
+                    CustomSignedAssertionProviderName = null,
+                    SourceType = CredentialSource.CustomSignedAssertion
+                },
+                CustomSignedAssertionProviderNotFoundException.ProviderNameNullOrEmpty()
+            };
+
+            // Provider name not found
+            yield return new object[]
+            {
+                new DefaultCredentialsLoader(NullLogger<DefaultCredentialsLoader>.Instance, new List<ICustomSignedAssertionProvider> { new CustomSignedAssertionProvider("OtherProvider") }),
+                new CredentialDescription
+                {
+                    CustomSignedAssertionProviderName = "Provider2",
+                    SourceType = CredentialSource.CustomSignedAssertion
+                },
+                CustomSignedAssertionProviderNotFoundException.ProviderNameNotFound("Provider2")
+            };
+
+            // Happy path
+            yield return new object[]
+            {
+                new DefaultCredentialsLoader(NullLogger<DefaultCredentialsLoader>.Instance, new List<ICustomSignedAssertionProvider> { new CustomSignedAssertionProvider("Provider3") }),
+                new CredentialDescription
+                {
+                    CustomSignedAssertionProviderName = "Provider3",
+                    SourceType = CredentialSource.CustomSignedAssertion
+                }
+            };
+        }
+
+    }
+
+    public class CustomSignedAssertionProvider : ICustomSignedAssertionProvider
+    {
+        public string Name { get; }
+
+        public CredentialSource CredentialSource => CredentialSource.CustomSignedAssertion;
+
+        public CustomSignedAssertionProvider(string name)
+        {
+            Name = name;
+        }
+
+        public Task LoadIfNeededAsync(CredentialDescription credentialDescription, CredentialSourceLoaderParameters? parameters)
+        {
+            return Task.CompletedTask;
+        }
+    }
+}