-
Notifications
You must be signed in to change notification settings - Fork 241
Support FIC with AT_POP #3299
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Support FIC with AT_POP #3299
Changes from 4 commits
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
984546a
Send req_cnf for AtPop
aa8e792
Configure AtPop with custom signed assertion
1a723ac
Merge branch 'master' into sruthi/AtPopWithJwk
854d7fb
Use WithAuthenticationExtension
d380e08
Adds AtPopOperationTests
d1b0021
Make Microsoft.Extensions.Http dependency framework friendly (#3296)
ksaaf 3438224
Update to IdentityModel 8.7.0 (#3307)
pmaytak 76a36a0
3.8.1 changelog (#3306)
pmaytak 2d319cb
Update Directory.Build.props (#3305)
trwalke d7e29d3
Update src/Microsoft.Identity.Web.TokenAcquisition/AtPopOperation.cs
sruke File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
42 changes: 42 additions & 0 deletions
42
src/Microsoft.Identity.Web.TokenAcquisition/AtPopOperation.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System.Collections.Generic; | ||
| using Microsoft.Identity.Client.AuthScheme; | ||
| using Microsoft.Identity.Client; | ||
| using Microsoft.IdentityModel.Tokens; | ||
|
|
||
| namespace Microsoft.Identity.Web | ||
| { | ||
| internal class AtPopOperation : IAuthenticationOperation | ||
| { | ||
| private readonly string _reqCnf; | ||
|
|
||
| public AtPopOperation(string keyId, string reqCnf) | ||
| { | ||
| KeyId = keyId; | ||
| _reqCnf = reqCnf; | ||
| } | ||
| public int TelemetryTokenType => 4; // as per TelemetryTokenTypeConstants | ||
sruke marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| public string AuthorizationHeaderPrefix => "Bearer"; // these tokens go over bearer | ||
|
|
||
| public string KeyId { get; } | ||
|
|
||
| public string AccessTokenType => "pop"; // eSTS returns token_type=pop and MSAL needs to know | ||
|
|
||
| public void FormatResult(AuthenticationResult authenticationResult) | ||
| { | ||
| // no-op, adding the SHR is done by the caller | ||
| } | ||
|
|
||
| public IReadOnlyDictionary<string, string> GetTokenRequestParams() | ||
| { | ||
| return new Dictionary<string, string>() | ||
| { | ||
| {"req_cnf", Base64UrlEncoder.Encode(_reqCnf) }, | ||
| {"token_type", "pop" } | ||
| }; | ||
| } | ||
| } | ||
| } | ||
74 changes: 8 additions & 66 deletions
74
src/Microsoft.Identity.Web.TokenAcquisition/MsAuth10AtPop.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,85 +1,27 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System; | ||
| using System.Collections.Generic; | ||
| using System.IdentityModel.Tokens.Jwt; | ||
| using System.Security.Cryptography.X509Certificates; | ||
| using System.Threading.Tasks; | ||
| using Microsoft.Identity.Client; | ||
| using Microsoft.Identity.Client.Extensibility; | ||
| using Microsoft.IdentityModel.JsonWebTokens; | ||
| using Microsoft.IdentityModel.Tokens; | ||
|
|
||
| namespace Microsoft.Identity.Web | ||
| { | ||
| internal static class MsAuth10AtPop | ||
| { | ||
| internal static AcquireTokenForClientParameterBuilder WithAtPop( | ||
| this AcquireTokenForClientParameterBuilder builder, | ||
| X509Certificate2 clientCertificate, | ||
| string popPublicKey, | ||
| string jwkClaim, | ||
| string clientId, | ||
| bool sendX5C) | ||
| string jwkClaim) | ||
| { | ||
| _ = Throws.IfNull(popPublicKey); | ||
| _ = Throws.IfNull(jwkClaim); | ||
| _ = Throws.IfNullOrWhitespace(popPublicKey); | ||
| _ = Throws.IfNullOrWhitespace(jwkClaim); | ||
|
|
||
| builder.WithProofOfPosessionKeyId(popPublicKey); | ||
| builder.OnBeforeTokenRequest((data) => | ||
| { | ||
| string? signedAssertion = GetSignedClientAssertion( | ||
| clientCertificate, | ||
| data.RequestUri.AbsoluteUri, | ||
| jwkClaim, | ||
| clientId, | ||
| sendX5C); | ||
|
|
||
| data.BodyParameters.Remove("client_assertion"); | ||
| data.BodyParameters.Add("request", signedAssertion); | ||
|
|
||
| return Task.CompletedTask; | ||
| }); | ||
|
|
||
| return builder; | ||
| } | ||
|
|
||
| private static string? GetSignedClientAssertion( | ||
| X509Certificate2 certificate, | ||
| string audience, | ||
| string jwkClaim, | ||
| string clientId, | ||
| bool sendX5C) | ||
| { | ||
| // no need to add exp, nbf as JsonWebTokenHandler will add them by default | ||
| var claims = new Dictionary<string, object>() | ||
| { | ||
| { "aud", audience }, | ||
| { "iss", clientId }, | ||
| { "jti", Guid.NewGuid().ToString() }, | ||
| { "sub", clientId }, | ||
| { "pop_jwk", jwkClaim } | ||
| }; | ||
|
|
||
| var signingCredentials = new X509SigningCredentials(certificate); | ||
| var securityTokenDescriptor = new SecurityTokenDescriptor | ||
| { | ||
| Claims = claims, | ||
| SigningCredentials = signingCredentials | ||
| }; | ||
|
|
||
| if (sendX5C) | ||
| AtPopOperation op = new AtPopOperation(popPublicKey, jwkClaim); | ||
| builder.WithAuthenticationExtension(new MsalAuthenticationExtension() | ||
| { | ||
| string x5cValue = Convert.ToBase64String(certificate.GetRawCertData()); | ||
| securityTokenDescriptor.AdditionalHeaderClaims = | ||
| new Dictionary<string, object>() { { "x5c", new List<string> { x5cValue } } }; | ||
| } | ||
sruke marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| JsonWebTokenHandler tokenHandler = new JsonWebTokenHandler(); | ||
| string token = tokenHandler.CreateToken(securityTokenDescriptor); | ||
|
|
||
| return token; | ||
| AuthenticationOperation = op | ||
| }); | ||
| return builder; | ||
| } | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| Microsoft.Identity.Web.AtPopOperation | ||
| Microsoft.Identity.Web.AtPopOperation.AccessTokenType.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.AtPopOperation(string! keyId, string! reqCnf) -> void | ||
| Microsoft.Identity.Web.AtPopOperation.AuthorizationHeaderPrefix.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.FormatResult(Microsoft.Identity.Client.AuthenticationResult! authenticationResult) -> void | ||
| Microsoft.Identity.Web.AtPopOperation.GetTokenRequestParams() -> System.Collections.Generic.IReadOnlyDictionary<string!, string!>! | ||
| Microsoft.Identity.Web.AtPopOperation.KeyId.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.TelemetryTokenType.get -> int | ||
| static Microsoft.Identity.Web.MsAuth10AtPop.WithAtPop(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, string! popPublicKey, string! jwkClaim) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| Microsoft.Identity.Web.AtPopOperation | ||
| Microsoft.Identity.Web.AtPopOperation.AccessTokenType.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.AtPopOperation(string! keyId, string! reqCnf) -> void | ||
| Microsoft.Identity.Web.AtPopOperation.AuthorizationHeaderPrefix.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.FormatResult(Microsoft.Identity.Client.AuthenticationResult! authenticationResult) -> void | ||
| Microsoft.Identity.Web.AtPopOperation.GetTokenRequestParams() -> System.Collections.Generic.IReadOnlyDictionary<string!, string!>! | ||
| Microsoft.Identity.Web.AtPopOperation.KeyId.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.TelemetryTokenType.get -> int | ||
| static Microsoft.Identity.Web.MsAuth10AtPop.WithAtPop(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, string! popPublicKey, string! jwkClaim) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| Microsoft.Identity.Web.AtPopOperation | ||
| Microsoft.Identity.Web.AtPopOperation.AccessTokenType.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.AtPopOperation(string! keyId, string! reqCnf) -> void | ||
| Microsoft.Identity.Web.AtPopOperation.AuthorizationHeaderPrefix.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.FormatResult(Microsoft.Identity.Client.AuthenticationResult! authenticationResult) -> void | ||
| Microsoft.Identity.Web.AtPopOperation.GetTokenRequestParams() -> System.Collections.Generic.IReadOnlyDictionary<string!, string!>! | ||
| Microsoft.Identity.Web.AtPopOperation.KeyId.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.TelemetryTokenType.get -> int | ||
| static Microsoft.Identity.Web.MsAuth10AtPop.WithAtPop(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, string! popPublicKey, string! jwkClaim) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| Microsoft.Identity.Web.AtPopOperation | ||
| Microsoft.Identity.Web.AtPopOperation.AccessTokenType.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.AtPopOperation(string! keyId, string! reqCnf) -> void | ||
| Microsoft.Identity.Web.AtPopOperation.AuthorizationHeaderPrefix.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.FormatResult(Microsoft.Identity.Client.AuthenticationResult! authenticationResult) -> void | ||
| Microsoft.Identity.Web.AtPopOperation.GetTokenRequestParams() -> System.Collections.Generic.IReadOnlyDictionary<string!, string!>! | ||
| Microsoft.Identity.Web.AtPopOperation.KeyId.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.TelemetryTokenType.get -> int | ||
| static Microsoft.Identity.Web.MsAuth10AtPop.WithAtPop(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, string! popPublicKey, string! jwkClaim) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| Microsoft.Identity.Web.AtPopOperation | ||
| Microsoft.Identity.Web.AtPopOperation.AccessTokenType.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.AtPopOperation(string! keyId, string! reqCnf) -> void | ||
| Microsoft.Identity.Web.AtPopOperation.AuthorizationHeaderPrefix.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.FormatResult(Microsoft.Identity.Client.AuthenticationResult! authenticationResult) -> void | ||
| Microsoft.Identity.Web.AtPopOperation.GetTokenRequestParams() -> System.Collections.Generic.IReadOnlyDictionary<string!, string!>! | ||
| Microsoft.Identity.Web.AtPopOperation.KeyId.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.TelemetryTokenType.get -> int | ||
| static Microsoft.Identity.Web.MsAuth10AtPop.WithAtPop(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, string! popPublicKey, string! jwkClaim) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| Microsoft.Identity.Web.AtPopOperation | ||
| Microsoft.Identity.Web.AtPopOperation.AccessTokenType.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.AtPopOperation(string! keyId, string! reqCnf) -> void | ||
| Microsoft.Identity.Web.AtPopOperation.AuthorizationHeaderPrefix.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.FormatResult(Microsoft.Identity.Client.AuthenticationResult! authenticationResult) -> void | ||
| Microsoft.Identity.Web.AtPopOperation.GetTokenRequestParams() -> System.Collections.Generic.IReadOnlyDictionary<string!, string!>! | ||
| Microsoft.Identity.Web.AtPopOperation.KeyId.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.TelemetryTokenType.get -> int | ||
| static Microsoft.Identity.Web.MsAuth10AtPop.WithAtPop(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, string! popPublicKey, string! jwkClaim) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| Microsoft.Identity.Web.AtPopOperation | ||
| Microsoft.Identity.Web.AtPopOperation.AccessTokenType.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.AtPopOperation(string! keyId, string! reqCnf) -> void | ||
| Microsoft.Identity.Web.AtPopOperation.AuthorizationHeaderPrefix.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.FormatResult(Microsoft.Identity.Client.AuthenticationResult! authenticationResult) -> void | ||
| Microsoft.Identity.Web.AtPopOperation.GetTokenRequestParams() -> System.Collections.Generic.IReadOnlyDictionary<string!, string!>! | ||
| Microsoft.Identity.Web.AtPopOperation.KeyId.get -> string! | ||
| Microsoft.Identity.Web.AtPopOperation.TelemetryTokenType.get -> int | ||
| static Microsoft.Identity.Web.MsAuth10AtPop.WithAtPop(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, string! popPublicKey, string! jwkClaim) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.