Pop updated #2105
Pop updated #2105
Conversation
Exposing ICrypto provider to allow users to pass in their own
adding pop config object refactoring iCryptoProvider
Adding config object to pop api refactoring
src/client/Microsoft.Identity.Client/AuthScheme/PoP/PoPAuthenticationScheme.cs
Outdated
Show resolved
Hide resolved
| /// <item>MSAL creates, reads and stores a key in memory that will be cycled every 8 hours.</item> | ||
| /// </list> | ||
| /// </remarks> | ||
| public T WithProofOfPosession(PopAuthenticationConfiguration popAuthenticationConfiguration) |
There was a problem hiding this comment.
IMO this should be the only POP method. Let's delete the old one.
There was a problem hiding this comment.
that's a breaking change?
would we do that because it's an experimental feature?
There was a problem hiding this comment.
Yes, experimental features can introduce breaking changes at any time.
Refactoring.
src/client/Microsoft.Identity.Client/ApiConfig/AbstractAcquireTokenParameterBuilder.cs
Outdated
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/ApiConfig/AbstractAcquireTokenParameterBuilder.cs
Outdated
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/ApiConfig/AbstractAcquireTokenParameterBuilder.cs
Outdated
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/ApiConfig/AbstractAcquireTokenParameterBuilder.cs
Outdated
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenCommonParameters.cs
Outdated
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/AppConfig/PopAuthenticationConfiguration.cs
Outdated
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/AppConfig/PopAuthenticationConfiguration.cs
Outdated
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/AppConfig/PopAuthenticationConfiguration.cs
Show resolved
Hide resolved
| /// <summary> | ||
| /// This will be populated with the POP authentication header. | ||
| /// </summary> | ||
| public AuthenticationHeaderValue PopAuthenticationRequestHeader {get; private set;} |
There was a problem hiding this comment.
I'm not sure what this is. If you're not sure either, delete it :)
There was a problem hiding this comment.
We used to populate the user provided HTTP Request headers with the authentication headers calculated form the key. Im assuming this is no longer needed?
This value was already being used for tests.
There was a problem hiding this comment.
It doesn't really make that much sense since this is a config option, but developers cannot set this property.
The way consumers are supposed to retrieve the pop token is via AuthenticationResult. We can provide more covenient mechasism upon demand.
There was a problem hiding this comment.
var r2 = await confidentialApp.AcquireTokenForClient(s_keyvaultScope)
.WithProofOfPosession(popConfig)
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
src/client/Microsoft.Identity.Client/AppConfig/PopAuthenticationConfiguration.cs
Outdated
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/ApiConfig/AbstractAcquireTokenParameterBuilder.cs
Outdated
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/AuthScheme/PoP/PoPAuthenticationScheme.cs
Outdated
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/AppConfig/PopAuthenticationConfiguration.cs
Outdated
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/AuthScheme/PoP/PoPAuthenticationScheme.cs
Outdated
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/AuthScheme/PoP/PoPAuthenticationScheme.cs
Show resolved
Hide resolved
...s/Microsoft.Identity.Test.Integration.net47/Microsoft.Identity.Test.Integration.net47.csproj
Outdated
Show resolved
Hide resolved
tests/Microsoft.Identity.Test.Integration.net47/PoPCryptoProviderTests.cs
Outdated
Show resolved
Hide resolved
tests/Microsoft.Identity.Test.Integration.net47/PoPCryptoProviderTests.cs
Outdated
Show resolved
Hide resolved
tests/Microsoft.Identity.Test.Integration.net47/PoPCryptoProviderTests.cs
Outdated
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/AuthScheme/PoP/PoPAuthenticationScheme.cs
Outdated
Show resolved
Hide resolved
| /// A provider that can handle the asymmetric key operations needed by POP, that encapsulates a pair of public and private keys | ||
| /// and some typical crypto operations | ||
| /// </summary> | ||
| public IPoPCryptoProvider PopCryptoProvider { get; set; } |
There was a problem hiding this comment.
I wonder if we should actually put this crypto provider at the Application level instead of the Request level ? This way we can cache things like Thumbprint.
I suggest that for now we go with this and we discuss this in the API Review.
With the current implementation, we have to compute the thumbprint of the JWK at every request. If we moved the PoPAuthenticationScheme at app level, we'd compute it less often...
There was a problem hiding this comment.
@bgavrilMS: Could there be that there is a need for a PopAuthenticationScheme per resource? or per endpoint?
Refactoring.
src/client/Microsoft.Identity.Client/AppConfig/PopAuthenticationConfiguration.cs
Outdated
Show resolved
Hide resolved
| @@ -19,9 +20,7 @@ namespace Microsoft.Identity.Client.AuthScheme.PoP | |||
| internal class PoPAuthenticationScheme : IAuthenticationScheme | |||
There was a problem hiding this comment.
nit: some places it' has PoP and some have Pop. maybe go with Pop?
src/client/Microsoft.Identity.Client/ApiConfig/AbstractAcquireTokenParameterBuilder.cs
Outdated
Show resolved
Hide resolved
| /// <item>MSAL creates, reads and stores a key in memory that will be cycled every 8 hours.</item> | ||
| /// </list> | ||
| /// </remarks> | ||
| public T WithProofOfPosession(PopAuthenticationConfiguration popAuthenticationConfiguration) |
There was a problem hiding this comment.
that's a breaking change?
would we do that because it's an experimental feature?
| @@ -822,6 +822,11 @@ public static class MsalError | |||
| /// </summary> | |||
| public const string CryptoNet45 = "crypto_net45"; | |||
|
|
|||
| /// <summary> | |||
| /// Proof of posession authentication attempt is missing a an endpoint to bing to. | |||
There was a problem hiding this comment.
| /// Proof of posession authentication attempt is missing a an endpoint to bing to. | |
| /// Proof of posession authentication attempt is missing an endpoint to bind to. |
Refactoring
| @@ -11,6 +11,7 @@ internal class JsonWebTokenConstants | |||
| internal class Algorithms | |||
| { | |||
| public const string RsaSha256 = "RS256"; | |||
| public const string EdcSha256 = "ES256"; | |||
There was a problem hiding this comment.
This is what I was referring to. Elliptic curve can be ES256/ES384/ES512 etc. This value will need to be updated based on the conical JWK created by the elliptic curve keys.
There was a problem hiding this comment.
How does this relate to the list of algorithms in https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys#signverify and https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys#signverify1 ?
| //Need to update header to signal EC key is being used | ||
| if (JWK[JsonWebKeyParameterNames.Kty].ToString() == JsonWebKeyParameterNames.EC) | ||
| { | ||
| return JsonWebTokenConstants.Algorithms.EdcSha256; |
There was a problem hiding this comment.
Need to add support for other elliptic curve key sizes here. currently only 256 is supported.
@bgavrilMS
There was a problem hiding this comment.
src/client/Microsoft.Identity.Client/AppConfig/PopAuthenticationConfiguration.cs
Outdated
Show resolved
Hide resolved
| /// A provider that can handle the asymmetric key operations needed by POP, that encapsulates a pair of public and private keys | ||
| /// and some typical crypto operations | ||
| /// </summary> | ||
| public IPoPCryptoProvider PopCryptoProvider { get; set; } |
There was a problem hiding this comment.
@bgavrilMS: Could there be that there is a need for a PopAuthenticationScheme per resource? or per endpoint?
src/client/Microsoft.Identity.Client/AppConfig/PopAuthenticationConfiguration.cs
Outdated
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/AuthScheme/PoP/IPoPCryptoProvider.cs
Show resolved
Hide resolved
| /// See https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys#signverify for ECD | ||
| /// See https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys#signverify-1 for RSA | ||
| /// </summary> | ||
| string CryptographicAlgorithm { get; } |
There was a problem hiding this comment.
Are symmetric key algorithm supported? if not, do we want to mention it?
| @@ -11,6 +11,7 @@ internal class JsonWebTokenConstants | |||
| internal class Algorithms | |||
| { | |||
| public const string RsaSha256 = "RS256"; | |||
| public const string EdcSha256 = "ES256"; | |||
There was a problem hiding this comment.
How does this relate to the list of algorithms in https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys#signverify and https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys#signverify1 ?
# Conflicts: # tests/Microsoft.Identity.Test.Common/Core/Helpers/ECDCertificatePopCryptoProvider.cs # tests/Microsoft.Identity.Test.Common/Core/Helpers/RSACertificatePopCryptoProvider.cs # tests/Microsoft.Identity.Test.Integration/Microsoft.Identity.Test.Integration.csproj # tests/Microsoft.Identity.Test.Unit/ExceptionTests/ExperimentalFeatureTests.cs
Refactoring
…onConfiguration.cs Co-authored-by: Jean-Marc Prieur <jmprieur@microsoft.com>
Updates for #2013