Skip to content

Commit

Permalink
[WAM] Token protection validation with CA Policy (#4056)
Browse files Browse the repository at this point in the history 
* pop token test

* WithProofOfPossession

* check

* InnerException

* more checks

* pop works with SPO

* Invalid resource test

* comments

* name update

---------

Co-authored-by: Gladwin Johnson <gljohns@microsoft.com>
  • Loading branch information
@gladjohn @GladwinJohnson
gladjohn and GladwinJohnson committed Apr 6, 2023
1 parent 50c4d51 commit 1d0371f
Showing 1 changed file with 64 additions and 1 deletion.
65 changes: 64 additions & 1 deletion tests/Microsoft.Identity.Test.Integration.netfx/HeadlessTests/RuntimeBrokerTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -256,7 +256,6 @@ public async Task WamAddDefaultScopesWhenNoScopesArePassedAsync(string scopes)
.WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows))
.Build();

// Act
// Act
var ex = await AssertException.TaskThrowsAsync<MsalUiRequiredException>(
() => pca.AcquireTokenSilent(new string[] { scopes }, PublicClientApplication.OperatingSystemAccount)
Expand All @@ -265,6 +264,70 @@ public async Task WamAddDefaultScopesWhenNoScopesArePassedAsync(string scopes)

Assert.IsTrue(!string.IsNullOrEmpty(ex.ErrorCode));
}

[RunOn(TargetFrameworks.NetStandard | TargetFrameworks.NetCore)]
public async Task WamUsernamePasswordPopTokenEnforcedWithCaOnValidResourceAsync()
{
//Arrange
var labResponse = await LabUserHelper.GetDefaultUserAsync().ConfigureAwait(false);

string popUser = "popUser@msidlab4.onmicrosoft.com";

string[] scopes = { "https://msidlab4.sharepoint.com/user.read" };

IntPtr intPtr = GetForegroundWindow();

Func<IntPtr> windowHandleProvider = () => intPtr;

IPublicClientApplication pca = PublicClientApplicationBuilder
.Create(labResponse.App.AppId)
.WithParentActivityOrWindow(windowHandleProvider)
.WithAuthority(labResponse.Lab.Authority, "organizations")
.WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows))
.Build();

// Acquire token using username password with POP on a valid resource
// CA policy enforces token issuance to popUser only for SPO
// https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-token-protection
var result = await pca.AcquireTokenByUsernamePassword(scopes, popUser, labResponse.User.GetOrFetchPassword())
.WithProofOfPossession("some_nonce", System.Net.Http.HttpMethod.Get, new Uri(pca.Authority))
.ExecuteAsync()
.ConfigureAwait(false);

//Act
Assert.AreEqual(popUser, result.Account.Username);
}

[RunOn(TargetFrameworks.NetStandard | TargetFrameworks.NetCore)]
[ExpectedException(typeof(MsalUiRequiredException))]
public async Task WamUsernamePasswordPopTokenEnforcedWithCaOnInValidResourceAsync()
{
//Arrange
var labResponse = await LabUserHelper.GetDefaultUserAsync().ConfigureAwait(false);

string popUser = "popUser@msidlab4.onmicrosoft.com";

string[] scopes = { "user.read" };

IntPtr intPtr = GetForegroundWindow();

Func<IntPtr> windowHandleProvider = () => intPtr;

IPublicClientApplication pca = PublicClientApplicationBuilder
.Create(labResponse.App.AppId)
.WithParentActivityOrWindow(windowHandleProvider)
.WithAuthority(labResponse.Lab.Authority, "organizations")
.WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows))
.Build();

// Acquire token using username password with POP on a resource not in the CA policy
// CA policy enforces token issuance to popUser only for SPO this call will fail with UI Required Exception
// https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-token-protection
var result = await pca.AcquireTokenByUsernamePassword(scopes, popUser, labResponse.User.GetOrFetchPassword())
.WithProofOfPossession("some_nonce", System.Net.Http.HttpMethod.Get, new Uri(pca.Authority))
.ExecuteAsync()
.ConfigureAwait(false);
}
}
}
#endif

0 comments on commit 1d0371f

Please sign in to comment.