-
Notifications
You must be signed in to change notification settings - Fork 386
SignedHttpRequest aka PoP (Proof of Possession)
Proof-of-Possession (PoP) provides a mechanism to bind (sender-constrain) access_tokens at the application layer. PoP provides mitigation as access_token are only accepted inside a signed envelope. An access_token obtained by an attacker can only be used if the attacker has also obtained the private key associated with the access_token.
A SignedHttpRequest provides a mechanism to bind an http request to a (PoP) token by signing specific parts of the request.
Proof-of-Possession (PoP) represents a concept that can be implemented in many different ways. This implementation of PoP is based on the SignedHttpRequest spec and it's named SignedHttpRequest to make a clear distinction between other existing and future PoP implementations.
SignedHttpRequest was released as another IdentityModel assembly (Microsoft.IdentityModel.Protocols.SignedHttpRequest) and started appearing with IdentityModel 6+ releases.
The following sample shows how to use SignedHttpRequest in an ASP.NET Core Web API: 4.-Console-app-calls-web-API-with-PoP
If features a .NET Console application (using MSAL.NET to acquire a Pop token) calling an ASP.NET Core protected Web API using SignedHttpRequest to validate the Pop token. The code of interest is under SignedHttpRequest, in particular in SignedHttpRequestAuthenticationHandler.cs
N/A
Conceptual Documentation
- Using TokenValidationParameters.ValidateIssuerSigningKey
- Scenarios
- Validating tokens
- Outbound policy claim type mapping
- How ASP.NET Core uses Microsoft.IdentityModel extensions for .NET
- Using a custom CryptoProvider
- SignedHttpRequest aka PoP (Proof-of-Possession)
- Creating and Validating JWEs (Json Web Encryptions)
- Caching in Microsoft.IdentityModel
- Resiliency on metadata refresh
- Use KeyVault extensions