Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom signing key Section does not Mention acceptMappedClaims as an alternative #5111

Closed
chrisetler opened this issue Feb 28, 2018 — with docs.microsoft.com · 6 comments

Comments

Copy link

@chrisetler chrisetler commented Feb 28, 2018 — with docs.microsoft.com

The document mentions that you must use a Custom Signing key, but doesn't mention that you can get around that limitation by simply editing the app manifest to set "acceptMappedClaims" to true. Not only is the latter option much easier to set up and to maintain, and makes ID token validation much easier to do, it is also much more secure because it does not require a symmetric key to be transferred (and possibly stored) on client devices, which seems to be a huge security concern. I think a lot of people are going to go down the wrong path and implement something that is insecure because they didn't realize there was a much easier and secure way to do it.


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

  • ID: 195c79a3-ccc5-8c6a-233e-95e344a9b4df
  • Version Independent ID: 401c7557-5817-bbd3-5bd8-8c97ef5a28cc
  • Content
  • Content Source
  • Service: active-directory
@amanarneja

This comment has been minimized.

Copy link
Contributor

@amanarneja amanarneja commented Feb 28, 2018

@chrisetler Thanks for the feedback! I have assigned the issue to the author to take a look and update the document as appropriate.

@billmath

This comment has been minimized.

Copy link
Contributor

@billmath billmath commented Feb 28, 2018

I have sent an email to the PM for some clarification.

@billmath

This comment has been minimized.

Copy link
Contributor

@billmath billmath commented Mar 2, 2018

@chrisetler I just wanted to let you know that first, we are in the process of updating this doc, so a future version should call out using acceptMappedClaims. Second, I verified that it is okay to use acceptMappedClaims if it's an app that is configured on the tenant (as opposed to a multi-tenant app or SAML SP). And if the client side code handles key rolls – since tokens will be signed with the AAD signing key which may roll at any time. If an app uses acceptMappedClaims, it must be careful to handle the issuer validation, to provide proper isolation between tenants (e.g., if tenant 1 sets up a claims mapping to issue UPN == someone@tenant2.com, the app must be validating the issuer so that it doesn’t incorrectly provide access to tenant 2’s data). Finally we don't use a symmetric key, it’s an assymmetric key (certificate), so the client just gets the public key, the same as tokens signed using the AAD global signing key.

At this point thank you again for bringing this up as it will help us improve the docs and unless there is anything else I will close this out later today.

Thanks!

@billmath

This comment has been minimized.

Copy link
Contributor

@billmath billmath commented Mar 7, 2018

#please-close

@billmath

This comment has been minimized.

Copy link
Contributor

@billmath billmath commented Mar 7, 2018

@amanarneja please-close

@amanarneja amanarneja closed this Mar 8, 2018

This comment has been minimized.

Copy link

@Aculeo Aculeo commented Jun 24, 2019 — with docs.microsoft.com

I have an app registration with acceptMappedClaims set to true, I authenticate against it and I'm still getting:

Microsoft.Identity.Client.MsalServiceException: AADSTS50146: This application is required to be configured with an application-specific signing key.

Am I missing something? And when is the documentation going to get updated? It's been over a year and there is still no mention of acceptMappedClaims.

And just to clarify, I have a mobile app where I need an additional mapped claim, meaning I do not have a ConfidentialClientApplication but instead a PublicClientApplication - so I cannot add a certificate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.