Bound RT #2 - Request Bound Refresh Token (#3505)

* Add KeyManager class * Add STK JWK to BaseAuthRequest * Add STK generation logic to common and browser * Update PublicClientApplication tests to mock out STK generation from Auth Code requests * Undo msal-node-samples changes * Move generateCnf from PopTokenGenerator to KeyManager * Refactor crypto key generation to use different key generation algorithm options for AT and RT PoP * Add missing API from Crypto Interface to msal-node * Fix linter issues * Add rtPop msal-browser sample * Add stk_jwk to /authorize call in AuthorizationCodeClient to initiate bound rt flow * Add STK JWK to /token request to obtain bound rt response * Add stkJwk to AuthorizationCodeClient tests * Update mock crypto interface in tests * Fix merge conflicts * Cleanup tests * Refactor Cryptographic constants out of BrowserConstants and CryptoOps * Fix generatePublicKeyThumbprint stubs and expected values on tests * Fix tests after merge * Add feature flag to make RT Binding opt-in * Add error handling to STK generation step * Refactor crypto enum names * Add error handling for crypto key generation * Put KeyManager instance in BaseClient instead of AuthCode and Refresh Clients * Fix import in BaseClient * Extend KeyManager tests * Increase test coverage * Update lib/msal-browser/src/utils/CryptoConstants.ts * Fix merge conflicts * Add boundRT sample * Undo unnecessary method position change * Add initial e2e tests for RT PoP * Revert to headless false for boundRT e2e test * Update lib/msal-common/test/client/RefreshTokenClient.spec.ts Co-authored-by: Thomas Norling <thomas.l.norling@gmail.com> * Fix incorrect typing and checks for private key on getPublicKeyThumbprint * Refactor cryptographic constants to have more consistent casing * Fix CryptoOps tests around getPublicKeyThumbprint * Move refreshTokenBinding feature flag to system config * Update browser client config to move refreshTokenBinding flag to system config * Rename KeyManager to CryptoKeyManager for more specificity * Update BrowserAuthError to remove keyId from error message and avoid Pii * Update lib/msal-browser/src/config/Configuration.ts * Update sample and fix merge bugs * Remove CryptoKeyManager class Co-authored-by: Thomas Norling <thomas.l.norling@gmail.com>
AzureAD · Feb 2, 2022 · 160bacb · 160bacb
1 parent a7ec0b8
commit 160bacb
Show file tree

Hide file tree

Showing 13 changed files with 531 additions and 23 deletions.
diff --git a/lib/msal-browser/test/utils/StringConstants.ts b/lib/msal-browser/test/utils/StringConstants.ts
@@ -243,7 +243,7 @@ export const ALTERNATE_OPENID_CONFIG_RESPONSE = {
     }
 };
 
-export const testNavUrl = `https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=${encodeURIComponent(`${TEST_CONFIG.MSAL_CLIENT_ID}`)}&scope=user.read%20openid%20profile%20offline_access&redirect_uri=https%3A%2F%2Flocalhost%3A8081%2Findex.html&client-request-id=${encodeURIComponent(`${RANDOM_TEST_GUID}`)}&response_mode=fragment&response_type=code&x-client-SKU=msal.js.browser&x-client-VER=${version}&x-client-OS=&x-client-CPU=&client_info=1&code_challenge=JsjesZmxJwehdhNY9kvyr0QOeSMEvryY_EHZo3BKrqg&code_challenge_method=S256&nonce=${encodeURIComponent(`${RANDOM_TEST_GUID}`)}&state=${encodeURIComponent(`${TEST_STATE_VALUES.TEST_STATE_REDIRECT}`)}`;
+export const testNavUrl = `https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=${encodeURIComponent(`${TEST_CONFIG.MSAL_CLIENT_ID}`)}&scope=user.read%20openid%20profile%20offline_access&redirect_uri=https%3A%2F%2Flocalhost%3A8081%2Findex.html&client-request-id=${encodeURIComponent(`${RANDOM_TEST_GUID}`)}&response_mode=fragment&response_type=code&x-client-SKU=msal.js.browser&x-client-VER=${version}&x-client-OS=&x-client-CPU=&client_info=1&code_challenge=JsjesZmxJwehdhNY9kvyr0QOeSMEvryY_EHZo3BKrqg&code_challenge_method=S256&nonce=${encodeURIComponent(`${RANDOM_TEST_GUID}`)}&state=${encodeURIComponent(`${TEST_STATE_VALUES.TEST_STATE_REDIRECT}`)}&stk_jwk=${TEST_POP_VALUES.ENCODED_STK_JWK_THUMBPRINT}`;
 
 export const testNavUrlNoRequest = `https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=${encodeURIComponent(`${TEST_CONFIG.MSAL_CLIENT_ID}`)}&scope=openid%20profile%20offline_access&redirect_uri=https%3A%2F%2Flocalhost%3A8081%2Findex.html&client-request-id=${encodeURIComponent(`${RANDOM_TEST_GUID}`)}&response_mode=fragment&response_type=code&x-client-SKU=msal.js.browser&x-client-VER=${version}&x-client-OS=&x-client-CPU=&client_info=1&code_challenge=JsjesZmxJwehdhNY9kvyr0QOeSMEvryY_EHZo3BKrqg&code_challenge_method=S256&nonce=${encodeURIComponent(`${RANDOM_TEST_GUID}`)}&state=`;
 

diff --git a/lib/msal-common/src/client/AuthorizationCodeClient.ts b/lib/msal-common/src/client/AuthorizationCodeClient.ts
@@ -245,6 +245,11 @@ export class AuthorizationCodeClient extends BaseClient {
             }
         }
 
+        if (request.stkJwk) {
+            const stkJwk = await this.popTokenGenerator.retrieveAsymmetricPublicKey(request.stkJwk);
+            parameterBuilder.addStkJwk(stkJwk);
+        }
+
         const correlationId = request.correlationId || this.config.cryptoInterface.createNewGuid();
         parameterBuilder.addCorrelationId(correlationId);
 
@@ -401,6 +406,10 @@ export class AuthorizationCodeClient extends BaseClient {
             parameterBuilder.addExtraQueryParameters(request.extraQueryParameters);
         }
 
+        if (request.stkJwk) {
+            parameterBuilder.addStkJwkThumbprint(request.stkJwk);
+        }
+
         return parameterBuilder.createQueryString();
     }
 

diff --git a/lib/msal-common/src/crypto/PopTokenGenerator.ts b/lib/msal-common/src/crypto/PopTokenGenerator.ts
@@ -18,11 +18,15 @@ import { ClientAuthError } from "../error/ClientAuthError";
  *      - sw: software storage
  *      - uhw: hardware storage
  */
-type ReqCnf = {
+export type ReqCnf = {
     kid: string;
     xms_ksl: KeyLocation;
 };
 
+export type StkJwkThumbprint = {
+    kid: string;
+};
+
 enum KeyLocation {
     SoftwareStorage = "sw",
     HardwareStorage = "uhw"

diff --git a/lib/msal-common/src/request/RequestParameterBuilder.ts b/lib/msal-common/src/request/RequestParameterBuilder.ts
@@ -12,6 +12,7 @@ import { LibraryInfo } from "../config/ClientConfiguration";
 import { StringUtils } from "../utils/StringUtils";
 import { ServerTelemetryManager } from "../telemetry/server/ServerTelemetryManager";
 import { ClientInfo } from "../account/ClientInfo";
+import { StkJwkThumbprint } from "../crypto/PopTokenGenerator";
 
 export class RequestParameterBuilder {
 
@@ -383,6 +384,30 @@ export class RequestParameterBuilder {
         this.parameters.set(AADServerParamKeys.X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
     }
 
+    /**
+     * Add stk_jwk thumbprint to query params
+     * @param stkJwkKid
+     */
+    addStkJwkThumbprint(stkJwkKid: string): void {
+        if(!StringUtils.isEmpty(stkJwkKid)) {
+            const stkJwkThumbprint: StkJwkThumbprint = {
+                kid: stkJwkKid
+            };
+
+            this.parameters.set(AADServerParamKeys.STK_JWK, encodeURIComponent(JSON.stringify(stkJwkThumbprint)));
+        }
+    }
+
+    /**
+     * Add stk_jwk public key to query params
+     * @param stkJwk
+     */
+    addStkJwk(stkJwk: string): void {
+        if(!StringUtils.isEmpty(stkJwk)) {
+            this.parameters.set(AADServerParamKeys.STK_JWK, encodeURIComponent(stkJwk));
+        }
+    }
+
     /**
      * Utility to create a URL from the params map
      */

diff --git a/lib/msal-common/src/utils/Constants.ts b/lib/msal-common/src/utils/Constants.ts
@@ -132,6 +132,7 @@ export enum AADServerParamKeys {
     CLIENT_ASSERTION_TYPE = "client_assertion_type",
     TOKEN_TYPE = "token_type",
     REQ_CNF = "req_cnf",
+    STK_JWK = "stk_jwk",
     OBO_ASSERTION = "assertion",
     REQUESTED_TOKEN_USE = "requested_token_use",
     ON_BEHALF_OF = "on_behalf_of",

diff --git a/lib/msal-common/test/client/AuthorizationCodeClient.spec.ts b/lib/msal-common/test/client/AuthorizationCodeClient.spec.ts
@@ -63,7 +63,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 codeChallenge: TEST_CONFIG.TEST_CHALLENGE,
                 codeChallengeMethod: Constants.S256_CODE_CHALLENGE_METHOD,
                 correlationId: RANDOM_TEST_GUID,
-                authenticationScheme: AuthenticationScheme.BEARER
+                authenticationScheme: AuthenticationScheme.BEARER,
+                stkJwk: TEST_POP_VALUES.KID
             };
             const loginUrl = await client.getAuthCodeUrl(authCodeUrlRequest);
             expect(loginUrl.includes(Constants.DEFAULT_AUTHORITY)).toBe(true);
@@ -75,6 +76,7 @@ describe("AuthorizationCodeClient unit tests", () => {
             expect(loginUrl.includes(`${AADServerParamKeys.RESPONSE_MODE}=${encodeURIComponent(ResponseMode.QUERY)}`)).toBe(true);
             expect(loginUrl.includes(`${AADServerParamKeys.CODE_CHALLENGE}=${encodeURIComponent(TEST_CONFIG.TEST_CHALLENGE)}`)).toBe(true);
             expect(loginUrl.includes(`${AADServerParamKeys.CODE_CHALLENGE_METHOD}=${encodeURIComponent(Constants.S256_CODE_CHALLENGE_METHOD)}`)).toBe(true);
+            expect(loginUrl.includes(`${AADServerParamKeys.STK_JWK}=${encodeURIComponent(TEST_POP_VALUES.DECODED_STK_JWK_THUMBPRINT)}`)).toBe(true);
         });
 
         it("Creates an authorization url passing in optional parameters", async () => {
@@ -98,7 +100,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 claims: TEST_CONFIG.CLAIMS,
                 nonce: TEST_CONFIG.NONCE,
                 correlationId: RANDOM_TEST_GUID,
-                authenticationScheme: AuthenticationScheme.BEARER
+                authenticationScheme: AuthenticationScheme.BEARER,
+                stkJwk: TEST_POP_VALUES.KID
             };
             const loginUrl = await client.getAuthCodeUrl(authCodeUrlRequest);
             expect(loginUrl.includes(TEST_CONFIG.validAuthority)).toBe(true);
@@ -116,6 +119,7 @@ describe("AuthorizationCodeClient unit tests", () => {
             expect(loginUrl.includes(`${SSOTypes.LOGIN_HINT}=${encodeURIComponent(TEST_CONFIG.LOGIN_HINT)}`)).toBe(true);
             expect(loginUrl.includes(`${SSOTypes.DOMAIN_HINT}=${encodeURIComponent(TEST_CONFIG.DOMAIN_HINT)}`)).toBe(true);
             expect(loginUrl.includes(`${AADServerParamKeys.CLAIMS}=${encodeURIComponent(TEST_CONFIG.CLAIMS)}`)).toBe(true);
+            expect(loginUrl.includes(`${AADServerParamKeys.STK_JWK}=${encodeURIComponent(TEST_POP_VALUES.DECODED_STK_JWK_THUMBPRINT)}`)).toBe(true);
         });
 
         it("Adds CCS entry if loginHint is provided", async () => {
@@ -193,7 +197,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 correlationId: RANDOM_TEST_GUID,
                 authenticationScheme: AuthenticationScheme.BEARER,
                 authority: TEST_CONFIG.validAuthority,
-                responseMode: ResponseMode.FRAGMENT
+                responseMode: ResponseMode.FRAGMENT,
+                stkJwk: TEST_POP_VALUES.KID
             };
             const loginUrl = await client.getAuthCodeUrl(authCodeUrlRequest);
             expect(loginUrl).toEqual(expect.not.arrayContaining([`${SSOTypes.LOGIN_HINT}=`]));
@@ -216,7 +221,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 correlationId: RANDOM_TEST_GUID,
                 authenticationScheme: AuthenticationScheme.BEARER,
                 authority: TEST_CONFIG.validAuthority,
-                responseMode: ResponseMode.FRAGMENT
+                responseMode: ResponseMode.FRAGMENT,
+                stkJwk: TEST_POP_VALUES.KID
             };
             const loginUrl = await client.getAuthCodeUrl(authCodeUrlRequest);
             expect(loginUrl.includes(`${SSOTypes.LOGIN_HINT}=${encodeURIComponent(TEST_CONFIG.LOGIN_HINT)}`)).toBe(true);
@@ -238,7 +244,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 correlationId: RANDOM_TEST_GUID,
                 authenticationScheme: AuthenticationScheme.BEARER,
                 authority: TEST_CONFIG.validAuthority,
-                responseMode: ResponseMode.FRAGMENT
+                responseMode: ResponseMode.FRAGMENT,
+                stkJwk: TEST_POP_VALUES.KID
             };
             const loginUrl = await client.getAuthCodeUrl(authCodeUrlRequest);
             expect(loginUrl.includes(`${SSOTypes.LOGIN_HINT}=`)).toBe(false);
@@ -260,7 +267,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 correlationId: RANDOM_TEST_GUID,
                 authenticationScheme: AuthenticationScheme.BEARER,
                 authority: TEST_CONFIG.validAuthority,
-                responseMode: ResponseMode.FRAGMENT
+                responseMode: ResponseMode.FRAGMENT,
+                stkJwk: TEST_POP_VALUES.KID
             };
             const loginUrl = await client.getAuthCodeUrl(authCodeUrlRequest);
             expect(loginUrl.includes(`${SSOTypes.LOGIN_HINT}=${encodeURIComponent(TEST_CONFIG.LOGIN_HINT)}`)).toBe(true);
@@ -299,7 +307,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 correlationId: RANDOM_TEST_GUID,
                 authenticationScheme: AuthenticationScheme.BEARER,
                 authority: TEST_CONFIG.validAuthority,
-                responseMode: ResponseMode.FRAGMENT
+                responseMode: ResponseMode.FRAGMENT,
+                stkJwk: TEST_POP_VALUES.KID
             };
             const loginUrl = await client.getAuthCodeUrl(authCodeUrlRequest);
             expect(loginUrl.includes(`${SSOTypes.SID}=${encodeURIComponent(testTokenClaims.sid)}`)).toBe(true);
@@ -336,7 +345,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 correlationId: RANDOM_TEST_GUID,
                 authenticationScheme: AuthenticationScheme.BEARER,
                 authority: TEST_CONFIG.validAuthority,
-                responseMode: ResponseMode.FRAGMENT
+                responseMode: ResponseMode.FRAGMENT,
+                stkJwk: TEST_POP_VALUES.KID
             };
             const loginUrl = await client.getAuthCodeUrl(authCodeUrlRequest);
             expect(loginUrl.includes(`${SSOTypes.SID}=`)).toBe(false);
@@ -371,7 +381,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 correlationId: RANDOM_TEST_GUID,
                 authenticationScheme: AuthenticationScheme.BEARER,
                 authority: TEST_CONFIG.validAuthority,
-                responseMode: ResponseMode.FRAGMENT
+                responseMode: ResponseMode.FRAGMENT,
+                stkJwk: TEST_POP_VALUES.KID
             };
             const loginUrl = await client.getAuthCodeUrl(authCodeUrlRequest);
             expect(loginUrl.includes(`${SSOTypes.LOGIN_HINT}=${encodeURIComponent(TEST_CONFIG.LOGIN_HINT)}`)).toBe(true);
@@ -392,7 +403,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 correlationId: RANDOM_TEST_GUID,
                 authenticationScheme: AuthenticationScheme.BEARER,
                 authority: TEST_CONFIG.validAuthority,
-                responseMode: ResponseMode.FRAGMENT
+                responseMode: ResponseMode.FRAGMENT,
+                stkJwk: TEST_POP_VALUES.KID
             };
             const loginUrl = await client.getAuthCodeUrl(authCodeUrlRequest);
             expect(loginUrl.includes(`${SSOTypes.LOGIN_HINT}=${encodeURIComponent(TEST_ACCOUNT_INFO.username)}`)).toBe(true);
@@ -415,7 +427,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 correlationId: RANDOM_TEST_GUID,
                 authenticationScheme: AuthenticationScheme.BEARER,
                 authority: TEST_CONFIG.validAuthority,
-                responseMode: ResponseMode.FRAGMENT
+                responseMode: ResponseMode.FRAGMENT,
+                stkJwk: TEST_POP_VALUES.KID
             };
             const loginUrl = await client.getAuthCodeUrl(authCodeUrlRequest);
             expect(loginUrl.includes(`${SSOTypes.LOGIN_HINT}=`)).toBe(false);
@@ -437,7 +450,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 correlationId: RANDOM_TEST_GUID,
                 authenticationScheme: AuthenticationScheme.BEARER,
                 authority: TEST_CONFIG.validAuthority,
-                responseMode: ResponseMode.FRAGMENT
+                responseMode: ResponseMode.FRAGMENT,
+                stkJwk: TEST_POP_VALUES.KID
             };
             const loginUrl = await client.getAuthCodeUrl(authCodeUrlRequest);
             expect(loginUrl.includes(`${SSOTypes.LOGIN_HINT}=`)).toBe(false);
@@ -459,7 +473,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 correlationId: RANDOM_TEST_GUID,
                 authenticationScheme: AuthenticationScheme.BEARER,
                 authority: TEST_CONFIG.validAuthority,
-                responseMode: ResponseMode.FRAGMENT
+                responseMode: ResponseMode.FRAGMENT,
+                stkJwk: TEST_POP_VALUES.KID
             };
             const loginUrl = await client.getAuthCodeUrl(authCodeUrlRequest);
             expect(loginUrl.includes(`${SSOTypes.LOGIN_HINT}=`)).toBe(false);
@@ -483,7 +498,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 correlationId: RANDOM_TEST_GUID,
                 authenticationScheme: AuthenticationScheme.BEARER,
                 authority: TEST_CONFIG.validAuthority,
-                responseMode: ResponseMode.FRAGMENT
+                responseMode: ResponseMode.FRAGMENT,
+                stkJwk: TEST_POP_VALUES.KID
             };
 
             const loginUrl = await client.getAuthCodeUrl(loginRequest);
@@ -611,7 +627,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 code: "",
                 correlationId: RANDOM_TEST_GUID,
                 authenticationScheme: AuthenticationScheme.BEARER,
-                authority: TEST_CONFIG.validAuthority
+                authority: TEST_CONFIG.validAuthority,
+                stkJwk: TEST_POP_VALUES.KID
             };
             // @ts-ignore
             await expect(client.acquireToken(codeRequest, null)).rejects.toMatchObject(ClientAuthError.createTokenRequestCannotBeMadeError());
@@ -875,7 +892,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 codeVerifier: TEST_CONFIG.TEST_VERIFIER,
                 claims: TEST_CONFIG.CLAIMS,
                 correlationId: RANDOM_TEST_GUID,
-                authenticationScheme: AuthenticationScheme.BEARER
+                authenticationScheme: AuthenticationScheme.BEARER,
+                stkJwk: TEST_POP_VALUES.KID
             };
 
             await client.acquireToken(authCodeRequest, {
@@ -951,7 +969,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 codeVerifier: TEST_CONFIG.TEST_VERIFIER,
                 claims: TEST_CONFIG.CLAIMS,
                 correlationId: RANDOM_TEST_GUID,
-                authenticationScheme: AuthenticationScheme.BEARER
+                authenticationScheme: AuthenticationScheme.BEARER,
+                stkJwk: TEST_POP_VALUES.KID
             };
 
             const authenticationResult = await client.acquireToken(authCodeRequest, {
@@ -989,6 +1008,8 @@ describe("AuthorizationCodeClient unit tests", () => {
             expect(returnVal.includes(`${AADServerParamKeys.X_CLIENT_CPU}=${TEST_CONFIG.TEST_CPU}`)
             ).toBe(true);
             expect(returnVal.includes(`${AADServerParamKeys.X_MS_LIB_CAPABILITY}=${ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE}`)).toBe(true);
+            expect(returnVal.includes(`${AADServerParamKeys.STK_JWK}=${TEST_POP_VALUES.ENCODED_STK_JWK_THUMBPRINT}`)
+            ).toBe(true);
         });
 
         it("Adds tokenQueryParameters to the /token request", () => {
@@ -1009,6 +1030,7 @@ describe("AuthorizationCodeClient unit tests", () => {
                     claims: TEST_CONFIG.CLAIMS,
                     correlationId: RANDOM_TEST_GUID,
                     authenticationScheme: AuthenticationScheme.BEARER,
+                    stkJwk: TEST_POP_VALUES.KID,
                     tokenQueryParameters: {
                         testParam: "testValue"
                     }
@@ -1189,7 +1211,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 resourceRequestMethod: "POST",
                 resourceRequestUri: TEST_URIS.TEST_RESOURCE_ENDPT_WITH_PARAMS,
                 claims: TEST_CONFIG.CLAIMS,
-                correlationId: RANDOM_TEST_GUID
+                correlationId: RANDOM_TEST_GUID,
+                stkJwk: TEST_POP_VALUES.KID
             };
 
             const authenticationResult = await client.acquireToken(authCodeRequest, {
@@ -1213,6 +1236,8 @@ describe("AuthorizationCodeClient unit tests", () => {
             expect(returnVal.includes(`${AADServerParamKeys.TOKEN_TYPE}=${AuthenticationScheme.POP}`)).toBe(true);
             expect(returnVal.includes(`${AADServerParamKeys.REQ_CNF}=${encodeURIComponent(TEST_POP_VALUES.ENCODED_REQ_CNF)}`)).toBe(true);
             expect(returnVal.includes(`${AADServerParamKeys.CLAIMS}=${encodeURIComponent(TEST_CONFIG.CLAIMS)}`)).toBe(true);
+            expect(returnVal.includes(`${AADServerParamKeys.STK_JWK}=${TEST_POP_VALUES.ENCODED_STK_JWK_THUMBPRINT}`)).toBe(true);
+
         });
 
         it("Sends the required parameters when a SSH certificate is requested", async () => {
@@ -1488,7 +1513,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 codeVerifier: TEST_CONFIG.TEST_VERIFIER,
                 claims: TEST_CONFIG.CLAIMS,
                 correlationId: RANDOM_TEST_GUID,
-                authenticationScheme: AuthenticationScheme.BEARER
+                authenticationScheme: AuthenticationScheme.BEARER,
+                stkJwk: TEST_POP_VALUES.KID
             };
 
             const authenticationResult = await client.acquireToken(authCodeRequest, {
@@ -1570,7 +1596,8 @@ describe("AuthorizationCodeClient unit tests", () => {
                 codeVerifier: TEST_CONFIG.TEST_VERIFIER,
                 claims: TEST_CONFIG.CLAIMS,
                 correlationId: RANDOM_TEST_GUID,
-                authenticationScheme: AuthenticationScheme.BEARER
+                authenticationScheme: AuthenticationScheme.BEARER,
+                stkJwk: TEST_POP_VALUES.KID
             };
 
             const authenticationResult = await client.acquireToken(authCodeRequest, {

diff --git a/lib/msal-node/src/crypto/CryptoProvider.ts b/lib/msal-node/src/crypto/CryptoProvider.ts
@@ -94,6 +94,6 @@ export class CryptoProvider implements ICrypto {
      * @param keyThumbprint
      */
     getAsymmetricPublicKey(): Promise<string> {
-        throw new Error("Method not implemented");
+        throw new Error("Method not implemented.");
     }
 }