-
Notifications
You must be signed in to change notification settings - Fork 373
Enable mTLS Proof‑of‑Possession for Client‑Assertion Delegates #5409
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
898aa83
initial
GladwinJohnson 0dbf269
pr comments
GladwinJohnson 43bcc9e
build break for public api change
GladwinJohnson cac7a77
IsMtlsPopEnabled
GladwinJohnson 4469c4b
pr comments
GladwinJohnson 2ab5e7f
Merge branch 'main' into gladjohn/new-assertion-api
gladjohn 4bfc589
name change
GladwinJohnson File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
41 changes: 41 additions & 0 deletions
41
src/client/Microsoft.Identity.Client/AppConfig/ClientAssertion.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System.Security.Cryptography.X509Certificates; | ||
|
|
||
| namespace Microsoft.Identity.Client | ||
| { | ||
| /// <summary> | ||
| /// Container returned from <c>WithClientAssertion</c>. | ||
| /// </summary> | ||
| public class ClientAssertion | ||
| { | ||
| /// <summary> | ||
| /// Represents the client assertion (JWT) and optional mutual‑TLS binding certificate returned | ||
| /// by the <c>clientAssertionProvider</c> callback supplied to | ||
| /// <see cref="ConfidentialClientApplicationBuilder.WithClientAssertion(System.Func{AssertionRequestOptions, System.Threading.CancellationToken, System.Threading.Tasks.Task{ClientAssertion}})"/>. | ||
| /// </summary> | ||
| /// <remarks> | ||
| /// MSAL forwards <see cref="Assertion"/> to the token endpoint as the <c>client_assertion</c> parameter. | ||
| /// When mutual‑TLS Proof‑of‑Possession (PoP) is enabled on the application and a | ||
| /// <see cref="TokenBindingCertificate"/> is provided, MSAL sets <c>client_assertion_type</c> to | ||
| /// <c>urn:ietf:params:oauth:client-assertion-type:jwt-pop</c>; otherwise it uses <c>jwt-bearer</c>. | ||
| /// <br/><br/> | ||
| /// Guidance on constructing the client assertion (required claims, audience, and lifetime) is available at | ||
| /// <see href="https://aka.ms/msal-net-client-assertion">aka.ms/msal-net-client-assertion</see>. | ||
| /// The assertion is created by your callback; MSAL does not modify or re‑sign it. | ||
| /// **Note:** It is up to the caller to cache the assertion and certificate if reuse is desired. | ||
| /// </remarks> | ||
bgavrilMS marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| public string Assertion { get; set; } | ||
neha-bhargava marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| /// <summary> | ||
| /// Optional. Certificate used to bind the client assertion for mutual‑TLS Proof‑of‑Possession (PoP). | ||
| /// </summary> | ||
| /// <remarks> | ||
| /// Provide a value only when PoP is enabled on the application. The certificate should include an | ||
| /// accessible private key. If <c>null</c>, MSAL treats the assertion as a bearer assertion and uses | ||
| /// <c>client_assertion_type=jwt-bearer</c>. | ||
| /// </remarks> | ||
| public X509Certificate2 TokenBindingCertificate { get; set; } | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
86 changes: 86 additions & 0 deletions
86
.../Microsoft.Identity.Client/Internal/ClientCredential/ClientAssertionDelegateCredential.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,86 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System; | ||
| using System.Security.Cryptography.X509Certificates; | ||
| using System.Threading; | ||
| using System.Threading.Tasks; | ||
| using Microsoft.Identity.Client; | ||
| using Microsoft.Identity.Client.AuthScheme.PoP; | ||
| using Microsoft.Identity.Client.Core; | ||
| using Microsoft.Identity.Client.Internal.Requests; | ||
| using Microsoft.Identity.Client.OAuth2; | ||
| using Microsoft.Identity.Client.PlatformsCommon.Interfaces; | ||
| using Microsoft.Identity.Client.TelemetryCore; | ||
|
|
||
| namespace Microsoft.Identity.Client.Internal.ClientCredential | ||
| { | ||
| /// <summary> | ||
| /// Handles client assertions supplied via a delegate that returns an | ||
| /// <see cref="ClientAssertion"/> (JWT + optional certificate bound for mTLS‑PoP). | ||
| /// </summary> | ||
| internal sealed class ClientAssertionDelegateCredential : IClientCredential | ||
| { | ||
| private readonly Func<AssertionRequestOptions, CancellationToken, Task<ClientAssertion>> _provider; | ||
|
|
||
| internal Task<ClientAssertion> GetAssertionAsync( | ||
| AssertionRequestOptions options, | ||
| CancellationToken cancellationToken) => | ||
| _provider(options, cancellationToken); | ||
|
|
||
| public ClientAssertionDelegateCredential( | ||
| Func<AssertionRequestOptions, CancellationToken, Task<ClientAssertion>> provider) | ||
| { | ||
| _provider = provider ?? throw new ArgumentNullException(nameof(provider)); | ||
| } | ||
|
|
||
| public AssertionType AssertionType => AssertionType.ClientAssertion; | ||
|
|
||
| // ────────────────────────────────── | ||
| // Main hook for token requests | ||
| // ────────────────────────────────── | ||
| public async Task AddConfidentialClientParametersAsync( | ||
| OAuth2Client oAuth2Client, | ||
| AuthenticationRequestParameters p, | ||
| ICryptographyManager _, | ||
| string tokenEndpoint, | ||
| CancellationToken ct) | ||
| { | ||
| var opts = new AssertionRequestOptions | ||
| { | ||
| CancellationToken = ct, | ||
| ClientID = p.AppConfig.ClientId, | ||
| TokenEndpoint = tokenEndpoint, | ||
| ClientCapabilities = p.RequestContext.ServiceBundle.Config.ClientCapabilities, | ||
| Claims = p.Claims, | ||
| ClientAssertionFmiPath = p.ClientAssertionFmiPath | ||
| }; | ||
|
|
||
| ClientAssertion resp = await _provider(opts, ct).ConfigureAwait(false); | ||
|
|
||
| if (string.IsNullOrWhiteSpace(resp?.Assertion)) | ||
| { | ||
| throw new MsalClientException(MsalError.InvalidClientAssertion, | ||
| MsalErrorMessage.InvalidClientAssertionEmpty); | ||
| } | ||
|
|
||
| // Decide bearer vs mTLS PoP | ||
| bool IsMtlsPopRequested = p.IsMtlsPopRequested; | ||
|
|
||
| if (IsMtlsPopRequested && resp.TokenBindingCertificate != null) | ||
| { | ||
| oAuth2Client.AddBodyParameter( | ||
| OAuth2Parameter.ClientAssertionType, | ||
| OAuth2AssertionType.JwtPop /* constant added in OAuth2AssertionType */); | ||
| } | ||
| else | ||
| { | ||
| oAuth2Client.AddBodyParameter( | ||
| OAuth2Parameter.ClientAssertionType, | ||
| OAuth2AssertionType.JwtBearer); | ||
| } | ||
|
|
||
| oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertion, resp.Assertion); | ||
| } | ||
| } | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.