-
Notifications
You must be signed in to change notification settings - Fork 373
Enable mTLS Proof‑of‑Possession for Client‑Assertion Delegates #5409
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 4 commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
898aa83
initial
GladwinJohnson 0dbf269
pr comments
GladwinJohnson 43bcc9e
build break for public api change
GladwinJohnson cac7a77
IsMtlsPopEnabled
GladwinJohnson 4469c4b
pr comments
GladwinJohnson 2ab5e7f
Merge branch 'main' into gladjohn/new-assertion-api
gladjohn 4bfc589
name change
GladwinJohnson File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
40 changes: 40 additions & 0 deletions
40
src/client/Microsoft.Identity.Client/AppConfig/ClientAssertion.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System.Security.Cryptography.X509Certificates; | ||
|
|
||
| namespace Microsoft.Identity.Client | ||
| { | ||
| /// <summary> | ||
| /// Container returned from <c>WithClientAssertion</c>. | ||
| /// </summary> | ||
| public class ClientAssertion | ||
| { | ||
| /// <summary> | ||
| /// Represents the client assertion (JWT) and optional mutual‑TLS binding certificate returned | ||
| /// by the <c>clientAssertionProvider</c> callback supplied to | ||
| /// <see cref="ConfidentialClientApplicationBuilder.WithClientAssertion(System.Func{AssertionRequestOptions, System.Threading.CancellationToken, System.Threading.Tasks.Task{ClientAssertion}})"/>. | ||
| /// </summary> | ||
| /// <remarks> | ||
| /// MSAL forwards <see cref="Assertion"/> to the token endpoint as the <c>client_assertion</c> parameter. | ||
| /// When mutual‑TLS Proof‑of‑Possession (PoP) is enabled on the application and a | ||
| /// <see cref="TokenBindingCertificate"/> is provided, MSAL sets <c>client_assertion_type</c> to | ||
| /// <c>urn:ietf:params:oauth:client-assertion-type:jwt-pop</c>; otherwise it uses <c>jwt-bearer</c>. | ||
| /// <br/><br/> | ||
| /// Guidance on constructing the client assertion (required claims, audience, and lifetime) is available at | ||
| /// <see href="https://aka.ms/msal-net-client-assertion">aka.ms/msal-net-client-assertion</see>. | ||
| /// The assertion is created by your callback; MSAL does not modify or re‑sign it. | ||
| /// </remarks> | ||
bgavrilMS marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| public string Assertion { get; set; } | ||
neha-bhargava marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| /// <summary> | ||
| /// Optional. Certificate used to bind the client assertion for mutual‑TLS Proof‑of‑Possession (PoP). | ||
| /// </summary> | ||
| /// <remarks> | ||
| /// Provide a value only when PoP is enabled on the application. The certificate should include an | ||
| /// accessible private key. If <c>null</c>, MSAL treats the assertion as a bearer assertion and uses | ||
| /// <c>client_assertion_type=jwt-bearer</c>. | ||
| /// </remarks> | ||
| public X509Certificate2 TokenBindingCertificate { get; set; } | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
113 changes: 113 additions & 0 deletions
113
src/client/Microsoft.Identity.Client/AuthScheme/PoP/PopBindingResolver.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,113 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System; | ||
| using System.Collections.Generic; | ||
| using System.Security.Cryptography.X509Certificates; | ||
| using System.Threading; | ||
| using System.Threading.Tasks; | ||
| using Microsoft.Identity.Client.ApiConfig.Parameters; | ||
| using Microsoft.Identity.Client.AuthScheme.PoP; | ||
| using Microsoft.Identity.Client.Internal; | ||
| using Microsoft.Identity.Client.Internal.ClientCredential; | ||
| using Microsoft.Identity.Client.Internal.Requests; | ||
|
|
||
| namespace Microsoft.Identity.Client.AuthScheme.PoP | ||
| { | ||
| /// <summary> | ||
| /// Central place for validating mTLS Proof‑of‑Possession pre‑conditions | ||
| /// and wiring up <see cref="MtlsPopAuthenticationOperation"/>. | ||
| /// </summary> | ||
| internal static class PopBindingResolver | ||
gladjohn marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| { | ||
| /// <summary> | ||
| /// Ensures a certificate is available, region settings are correct, | ||
| /// and populates <see cref="AcquireTokenCommonParameters.AuthenticationOperation"/> | ||
| /// and <see cref="AcquireTokenCommonParameters.MtlsCertificate"/>. | ||
| /// </summary> | ||
| internal static async Task ValidateAndWireAsync(IServiceBundle serviceBundle, | ||
| AcquireTokenCommonParameters commonParameters, | ||
| CancellationToken ct) | ||
| { | ||
| if (!commonParameters.IsMtlsPopEnabled) | ||
| { | ||
| return; // PoP not requested | ||
| } | ||
|
|
||
| // ──────────────────────────────────── | ||
| // Case 1 – Certificate credential | ||
| // ──────────────────────────────────── | ||
| if (serviceBundle.Config.ClientCredential is CertificateClientCredential certCred) | ||
| { | ||
| if (certCred.Certificate == null) | ||
| { | ||
| throw new MsalClientException( | ||
| MsalError.MtlsCertificateNotProvided, | ||
| MsalErrorMessage.MtlsCertificateNotProvidedMessage); | ||
| } | ||
|
|
||
| return; | ||
| } | ||
|
|
||
| // ──────────────────────────────────── | ||
| // Case 2 – Client‑assertion delegate | ||
| // ──────────────────────────────────── | ||
| if (serviceBundle.Config.ClientCredential is ClientAssertionDelegateCredential cadc) | ||
| { | ||
| var opts = new AssertionRequestOptions | ||
| { | ||
| ClientID = serviceBundle.Config.ClientId, | ||
| ClientCapabilities = serviceBundle.Config.ClientCapabilities, | ||
| Claims = commonParameters.Claims, | ||
| CancellationToken = ct | ||
| }; | ||
|
|
||
| ClientAssertion ar = await cadc.GetAssertionAsync(opts, ct).ConfigureAwait(false); | ||
|
|
||
| if (ar.TokenBindingCertificate == null) | ||
| { | ||
| throw new MsalClientException( | ||
| MsalError.MtlsCertificateNotProvided, | ||
| MsalErrorMessage.MtlsCertificateNotProvidedMessage); | ||
| } | ||
|
|
||
| Wire(commonParameters, ar.TokenBindingCertificate, serviceBundle); | ||
| return; | ||
| } | ||
|
|
||
| // ──────────────────────────────────── | ||
| // Case 3 – Any other credential (client‑secret etc.) | ||
| // ──────────────────────────────────── | ||
| throw new MsalClientException( | ||
| MsalError.MtlsCertificateNotProvided, | ||
| MsalErrorMessage.MtlsCertificateNotProvidedMessage); | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Common wiring + region check. | ||
| /// </summary> | ||
| private static void Wire( | ||
| AcquireTokenCommonParameters commonParameters, | ||
| X509Certificate2 cert, | ||
| IServiceBundle serviceBundle) | ||
| { | ||
| // Region requirement (AAD only) | ||
| if (serviceBundle.Config.Authority.AuthorityInfo.AuthorityType == AuthorityType.Aad && | ||
| serviceBundle.Config.AzureRegion == null) | ||
| { | ||
| throw new MsalClientException( | ||
| MsalError.MtlsPopWithoutRegion, | ||
| MsalErrorMessage.MtlsPopWithoutRegion); | ||
| } | ||
|
|
||
| commonParameters.AuthenticationOperation = new MtlsPopAuthenticationOperation(cert); | ||
| commonParameters.MtlsCertificate = cert; | ||
|
|
||
| commonParameters.CacheKeyComponents ??= new SortedList<string, string>(StringComparer.Ordinal); | ||
|
|
||
| commonParameters.CacheKeyComponents[Constants.CertSerialNumber] = cert.SerialNumber; | ||
gladjohn marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| serviceBundle.Config.CertificateIdToAssociateWithToken = cert.Thumbprint; | ||
gladjohn marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| } | ||
| } | ||
| } | ||
86 changes: 86 additions & 0 deletions
86
.../Microsoft.Identity.Client/Internal/ClientCredential/ClientAssertionDelegateCredential.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,86 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System; | ||
| using System.Security.Cryptography.X509Certificates; | ||
| using System.Threading; | ||
| using System.Threading.Tasks; | ||
| using Microsoft.Identity.Client; | ||
| using Microsoft.Identity.Client.AuthScheme.PoP; | ||
| using Microsoft.Identity.Client.Core; | ||
| using Microsoft.Identity.Client.Internal.Requests; | ||
| using Microsoft.Identity.Client.OAuth2; | ||
| using Microsoft.Identity.Client.PlatformsCommon.Interfaces; | ||
| using Microsoft.Identity.Client.TelemetryCore; | ||
|
|
||
| namespace Microsoft.Identity.Client.Internal.ClientCredential | ||
| { | ||
| /// <summary> | ||
| /// Handles client assertions supplied via a delegate that returns an | ||
| /// <see cref="ClientAssertion"/> (JWT + optional certificate bound for mTLS‑PoP). | ||
| /// </summary> | ||
| internal sealed class ClientAssertionDelegateCredential : IClientCredential | ||
| { | ||
| private readonly Func<AssertionRequestOptions, CancellationToken, Task<ClientAssertion>> _provider; | ||
|
|
||
| internal Task<ClientAssertion> GetAssertionAsync( | ||
| AssertionRequestOptions options, | ||
| CancellationToken cancellationToken) => | ||
| _provider(options, cancellationToken); | ||
|
|
||
| public ClientAssertionDelegateCredential( | ||
| Func<AssertionRequestOptions, CancellationToken, Task<ClientAssertion>> provider) | ||
| { | ||
| _provider = provider ?? throw new ArgumentNullException(nameof(provider)); | ||
| } | ||
|
|
||
| public AssertionType AssertionType => AssertionType.ClientAssertion; | ||
|
|
||
| // ────────────────────────────────── | ||
| // Main hook for token requests | ||
| // ────────────────────────────────── | ||
| public async Task AddConfidentialClientParametersAsync( | ||
| OAuth2Client oAuth2Client, | ||
| AuthenticationRequestParameters p, | ||
| ICryptographyManager _, | ||
| string tokenEndpoint, | ||
| CancellationToken ct) | ||
| { | ||
| var opts = new AssertionRequestOptions | ||
| { | ||
| CancellationToken = ct, | ||
| ClientID = p.AppConfig.ClientId, | ||
| TokenEndpoint = tokenEndpoint, | ||
| ClientCapabilities = p.RequestContext.ServiceBundle.Config.ClientCapabilities, | ||
| Claims = p.Claims, | ||
| ClientAssertionFmiPath = p.ClientAssertionFmiPath | ||
| }; | ||
|
|
||
| ClientAssertion resp = await _provider(opts, ct).ConfigureAwait(false); | ||
|
|
||
| if (string.IsNullOrWhiteSpace(resp?.Assertion)) | ||
| { | ||
| throw new MsalClientException(MsalError.InvalidClientAssertion, | ||
| MsalErrorMessage.InvalidClientAssertionEmpty); | ||
| } | ||
|
|
||
| // Decide bearer vs mTLS PoP | ||
| bool isMtlsPopEnabled = p.IsMtlsPopEnabled; | ||
|
|
||
| if (isMtlsPopEnabled && resp.TokenBindingCertificate != null) | ||
| { | ||
| oAuth2Client.AddBodyParameter( | ||
| OAuth2Parameter.ClientAssertionType, | ||
| OAuth2AssertionType.JwtPop /* constant added in OAuth2AssertionType */); | ||
| } | ||
| else | ||
| { | ||
| oAuth2Client.AddBodyParameter( | ||
| OAuth2Parameter.ClientAssertionType, | ||
| OAuth2AssertionType.JwtBearer); | ||
| } | ||
|
|
||
| oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertion, resp.Assertion); | ||
| } | ||
| } | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.