Skip to content

Rename EnrolledKeyId → LocalKeyHandle; clarify AP enrollment key identifiers#22

Merged
dasiths merged 9 commits into
mainfrom
copilot/ap-enrollment-process-analysis
May 27, 2026
Merged

Rename EnrolledKeyId → LocalKeyHandle; clarify AP enrollment key identifiers#22
dasiths merged 9 commits into
mainfrom
copilot/ap-enrollment-process-analysis

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 27, 2026
edited by dasiths
Loading

Summary

Renames EnrollResult.EnrolledKeyIdLocalKeyHandle, defaults to JWK thumbprint, and clarifies the separation between three distinct identifiers: JWK thumbprint, AP-internal JWT kid, and local keystore handle.

Changes by Phase

Phase 1 — SDK changes

  • EnrollResult.EnrolledKeyId renamed to LocalKeyHandle (defaults to JWK thumbprint)
  • EnrollResult.AgentTokenKid added — AP-published JWKS key id (required for jwks_uri mode)
  • Collapsed two RefreshAsync overloads into one (removed unused currentAgentToken param)
  • AgentProviderTokenRefresher parameters renamed, XML docs updated

Phase 2 — Tests

  • Renamed test methods to match new API surface

Phase 3 — Samples

  • All samples updated from EnrolledKeyId to LocalKeyHandle
  • AgentConsole persists/restores AgentTokenKid in enrollment cache

Phase 4 — Docs

  • bootstrap-enrollment.md rewritten with three-identifier table
  • All workflow docs updated with AAuth:LocalKeyHandle
  • concepts.md, getting-started.md, dependency-injection.md clarified

Phase 5 — Review fix-ups

  • 5a. JwksUri.razor and GuidedTour/CodeSnippets.cs use AgentTokenKid for kid param
  • 5b. AgentConsole variable renamed from keyId to localKeyHandle
  • 5c. GuidedTour remaining snippets use localKeyHandle consistently
  • 5d. Jwt.razor illustrative HTML updated
  • 5e. AgentTokenKid XML doc corrected — required for jwks_uri, not "diagnostic only"
  • 5f. Doc gaps in signing-modes and key-management clarified
  • 5g. README.md swept — no stale references

Phase 6 — SDK improvements

  • IKeyStore parameter renamed from keyId to handle
  • AAuthClientBuilder.From(EnrollResult) convenience API
  • Two-key (jkt-jwt) refresh: NamingJwtBuilder, RefreshTwoKeyAsync, RefreshMode.TwoKey
  • MockAP /refresh accepts jkt-jwt scheme
  • AgentConsole jkt-jwt mode uses two-key refresh

Phase 7 — jkt-jwt resource endpoint and sample routing

  • WhoAmI: dedicated /jkt-jwt endpoint with RequireIssuerVerification = false
  • All samples route jkt-jwt to /jkt-jwt (2-party pseudonymous, not 3-party)
  • GuidedTour generates ephemeral key + proper naming JWT
  • SampleApp JktJwt.razor page added
  • AgentConsole --ps validation fixed (only jwt requires PS)

Phase 8 — Naming JWT security hardening

  • Middleware validates naming JWT exp claim (clock-skew-aware)
  • Moved exp validation from resolver to middleware (proper clock support)
  • WhoAmI registers InMemoryJtiStore for jti replay detection
  • 5 new conformance tests for exp validation and replay detection

Verification

  • dotnet build — 0 errors, 0 warnings
  • dotnet test — 576 tests, 0 failures
  • All four AgentConsole signing modes return 200 against mock servers
  • jkt-jwt works without --ps (pseudonymous 2-party, no Person Server)
  • Naming JWT exp/jti validation tested with clock-skew scenarios

@dasiths dasiths requested a review from Copilot May 27, 2026 13:45
Copilot AI requested a review from dasiths May 27, 2026 13:46
Copilot AI reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR clarifies AP enrollment key identifier semantics by separating the agent-local keystore handle from AP-owned identifiers, and updates SDK docs/samples around LocalKeyHandle.

Changes:

  • Renames EnrollResult.EnrolledKeyId to LocalKeyHandle and defaults it to the durable key’s JWK thumbprint.
  • Collapses AP refresh to the local-handle based overload and updates AgentProviderTokenRefresher naming/docs.
  • Sweeps samples, docs, and planning files to explain AP/agent keystore separation and renamed config keys.
Show a summary per file
File Description
src/AAuth/Agent/AgentProviderClient.cs Updates enrollment/refresh API, result properties, and XML docs.
src/AAuth/Agent/AgentProviderTokenRefresher.cs Renames refresher local key reference and docs.
tests/AAuth.Tests/Agent/AgentProviderTokenRefresherTests.cs Renames constructor validation test.
samples/AgentConsole/Program.cs Switches enrollment result usage to LocalKeyHandle.
samples/GuidedTour/CodeSnippets.cs Updates tour snippets for renamed enrollment fields.
samples/Orchestrator/Program.cs Updates commented refresh example.
samples/SampleApp/EnrollmentService.cs Renames stored enrollment key handle state.
samples/SampleApp/Components/Pages/Jwt.razor Uses LocalKeyHandle when loading enrolled key.
samples/SampleApp/Components/Pages/JwksUri.razor Updates enrollment display and key handle usage.
docs/concepts.md Clarifies AP role and keystore separation.
docs/getting-started.md Updates enrollment/config examples.
docs/reference/dependency-injection.md Updates DI examples to use local key handles.
docs/signing-modes/agent-token-jwt.md Updates JWT signing mode config key.
docs/workflows/bootstrap-enrollment.md Rewrites enrollment identifier guidance and diagrams.
docs/workflows/call-chaining.md Updates config and refresher examples.
docs/workflows/deferred-consent.md Updates config examples.
docs/workflows/federated-access.md Updates config examples.
docs/workflows/identity-based-access.md Updates config example.
docs/workflows/ps-asserted-access.md Updates config and refresher examples.
docs/workflows/resource-managed-access.md Updates config example.
.agent/plans/2026-05-27-ap-enrollment-key-naming/research.md Adds research notes for identifier semantics.
.agent/plans/2026-05-27-ap-enrollment-key-naming/implementation-plan.md Adds phased implementation plan.

Copilot's findings

  • Files reviewed: 22/22 changed files
  • Comments generated: 6

Comment thread samples/GuidedTour/CodeSnippets.cs Outdated
Comment thread samples/GuidedTour/CodeSnippets.cs Outdated
Comment thread samples/SampleApp/Components/Pages/JwksUri.razor Outdated
Comment thread samples/AgentConsole/Program.cs Outdated
Comment thread src/AAuth/Agent/AgentProviderClient.cs
Comment thread .agent/plans/2026-05-27-ap-enrollment-key-naming/implementation-plan.md
Copilot AI changed the title Rename EnrolledKeyId → LocalKeyHandle; clarify AP enrollment key identifiers AgentConsole: send AP-published kid in jwks_uri signing mode May 27, 2026
dasiths added 5 commits May 27, 2026 17:46
@dasiths
Refactor key management and enhance jwks_uri support
8e372a1 
- Updated IKeyStore interface methods to use local key handles instead of key IDs for better clarity and consistency.
- Enhanced documentation to clarify the usage of the local key handle and the importance of the AP-published kid for jwks_uri signing mode.
- Modified samples and documentation to reflect changes in key handling and jwks_uri integration.
- Implemented two-key refresh mechanism in AgentProviderClient, allowing for more secure token refresh using ephemeral keys.
- Added NamingJwtBuilder to facilitate the creation of naming JWTs for two-key refresh, ensuring compliance with the bootstrap spec.
- Updated AgentProviderTokenRefresher to support both single-key and two-key refresh modes, improving flexibility in token management.
@dasiths
Refactor key handling to use localKeyHandle instead of keyId in multi…
c12cd1a 
…ple components; enhance documentation for jkt-jwt signing mode and agent key management.
@dasiths
Add support for jkt-jwt signing mode in flow picker; enhance descript…
7a789b2 
…ion for key rotation
@dasiths
Implement JKT-JWT support for key rotation; update error messages and…
c81e3c9 
… enhance navigation
@dasiths
Add naming JWT security hardening (exp validation + jti replay detect…
185732e 
…ion)

- Middleware validates naming JWT 'exp' claim with clock-skew support for jkt-jwt scheme
- Moved exp validation from resolver to middleware (clock-aware, respects ClockSkew option)
- WhoAmI sample registers InMemoryJtiStore for replay detection
- New NamingJwtValidationTests: 5 tests covering valid/expired/clock-skew/replay scenarios
- Updated JktJwtAndEcdsaTests to reflect resolver no longer validates exp
- Implementation plan updated with Phase 8
@dasiths dasiths marked this pull request as ready for review May 27, 2026 19:00
@dasiths dasiths changed the title AgentConsole: send AP-published kid in jwks_uri signing mode Rename EnrolledKeyId → LocalKeyHandle; clarify AP enrollment key identifiers May 27, 2026
@dasiths dasiths merged commit 5d44785 into main May 27, 2026
1 check passed
@dasiths dasiths deleted the copilot/ap-enrollment-process-analysis branch May 27, 2026 19:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dasiths dasiths Awaiting requested review from dasiths

Assignees

@dasiths dasiths

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dasiths