Merge branch 'main' into trwalke/ClientClaims

Signed-off-by: Jean-Marc Prieur <[email protected]>

Author: jmprieur

Directory.Build.props

@@ -1,7 +1,7 @@
 <Project>
   <PropertyGroup>
     <!-- This should be passed from the VSTS build -->
-    <MicrosoftIdentityAbstractionsVersion Condition="'$(MicrosoftIdentityAbstractionsVersion)' == ''">9.6.0</MicrosoftIdentityAbstractionsVersion>
+    <MicrosoftIdentityAbstractionsVersion Condition="'$(MicrosoftIdentityAbstractionsVersion)' == ''">10.0.0</MicrosoftIdentityAbstractionsVersion>
     <!-- This will generate AssemblyVersion, AssemblyFileVersion and AssemblyInformationVersion -->
     <Version>$(MicrosoftIdentityAbstractionsVersion)</Version>
     <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)\build\35MSSharedLib1024.snk</AssemblyOriginatorKeyFile>

README.md

@@ -185,8 +185,8 @@ namespace TokenAcquisition {
     }
 
         class IAuthorizationHeaderProvider { <<interface>> }
-        class IAuthorizationHeaderProvider2 { <<interface>> }
         class IAuthorizationHeaderProvider_TResult_ { <<interface>> }
+        class IBoundAuthorizationHeaderProvider { <<interface>> }
         class IDownstreamApi { <<interface>>
                +CallApiAsync(...)
                +CallApiForUserAsync(...)
@@ -423,8 +423,8 @@ It's also possible (and recommended) to use higher level APIs:
 - IAuthorizationHeaderProvider is the component that provides the authorization header, delegating to the ITokenAcquirer.
   Whereas ITokenAcquirer only knows about tokens, IAuthorizationHeaderProvider knows about protocols (for instance bearer,
   Pop, etc ...)
-- IAuthorizationHeaderProvider2 extends IAuthorizationHeaderProvider to provide authorization headers along with
-  bound certificate information, useful for scenarios requiring certificate binding details.
+- IBoundAuthorizationHeaderProvider returns authorization headers along with bound certificate information, useful for
+  scenarios requiring certificate binding details.
 
  ```mermaid
  classDiagram
@@ -461,10 +461,8 @@ It's also possible (and recommended) to use higher level APIs:
     +Task&lt;string&gt; CreateAuthorizationHeaderForAppAsync(string scopes, AuthorizationHeaderProviderOptions downstreamApiOptions, CancellationToken cancellationToken)
     +Task&lt;string&gt; CreateAuthorizationHeaderAsync(IEnumerable&lt;string&gt; scopes, AuthorizationHeaderProviderOptions options, ClaimsPrincipal claimsPrincipal, CancellationToken cancellationToken)
     }
-    class IAuthorizationHeaderProvider2 { <<interface>>
-    +Task&lt;AuthorizationHeaderInformation&gt; CreateAuthorizationHeaderBoundForUserAsync(IEnumerable&lt;string&gt; scopes, AuthorizationHeaderProviderOptions authorizationHeaderProviderOptions, ClaimsPrincipal claimsPrincipal, CancellationToken cancellationToken)
-    +Task&lt;AuthorizationHeaderInformation&gt; CreateAuthorizationHeaderBoundForAppAsync(string scopes, AuthorizationHeaderProviderOptions downstreamApiOptions, CancellationToken cancellationToken)
-    +Task&lt;AuthorizationHeaderInformation&gt; CreateAuthorizationHeaderBoundAsync(IEnumerable&lt;string&gt; scopes, AuthorizationHeaderProviderOptions options, ClaimsPrincipal claimsPrincipal, CancellationToken cancellationToken)
+    class IBoundAuthorizationHeaderProvider { <<interface>>
+    +Task&lt;OperationResult&lt;AuthorizationHeaderInformation, AuthorizationHeaderError&gt;&gt; CreateBoundAuthorizationHeaderAsync(DownstreamApiOptions downstreamApiOptions, ClaimsPrincipal claimsPrincipal, CancellationToken cancellationToken)
     }
     class IDownstreamApi { <<interface>>
     +Task&lt;HttpResponseMessage&gt; CallApiAsync(DownstreamApiOptions downstreamApiOptions, ClaimsPrincipal user, HttpContent content, CancellationToken cancellationToken)

agents.md

@@ -169,7 +169,7 @@ Through its well-designed abstractions and interfaces, Microsoft.Identity.Abstra
 - ITokenAcquirer - Core interface for token acquisition
 - ITokenAcquirerFactory - Factory of Token acquirers
 - IAuthorizationHeaderProvider - creates authorization headers (getting tokens and building the protocol string)
-- IAuthorizationHeaderProvider2 - extends IAuthorizationHeaderProvider to provide authorization headers with bound certificate information
+- IBoundAuthorizationHeaderProvider - creates authorization headers with token, which is optionally bound to a certififcate
 - IDownstreamApi - call downstream APIs in an authenticated way.
 
 ### Development Guidelines

src/Microsoft.Identity.Abstractions/DownstreamApi/IAuthorizationHeaderProvider2.cs

@@ -0,0 +1,31 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Security.Claims;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace Microsoft.Identity.Abstractions
+{
+    /// <summary>
+    /// Creates an authorization header value that the caller can use to access a protected web API, which supports either unbound or
+    /// bound to a certificate (for example, in an mTLS PoP scenario) tokens.
+    /// </summary>
+    public interface IBoundAuthorizationHeaderProvider
+    {
+         /// <summary>
+        /// Creates the authorization header used to call a protected web API with either unbound or bound to certificate tokens.
+        /// </summary>
+        /// <param name="downstreamApiOptions">Information about the API that will be called and token acquisition options.</param>
+        /// <param name="claimsPrincipal">Inbound authentication elements. In a web API, this is usually the result of the
+        /// validation of a token. In a web app, this would be information about the signed-in user. This is not useful in
+        /// daemon applications. In Microsoft.Identity.Web you rarely need to provide this parameter as it's inferred from the
+        /// context.</param>
+        /// <param name="cancellationToken">Cancellation token.</param>
+        /// <returns>A result which contains authorization token with optional bound certificate</returns>
+        Task<OperationResult<AuthorizationHeaderInformation, AuthorizationHeaderError>> CreateBoundAuthorizationHeaderAsync(
+            DownstreamApiOptions downstreamApiOptions,
+            ClaimsPrincipal? claimsPrincipal = null,
+            CancellationToken cancellationToken = default);
+    }
+}

src/Microsoft.Identity.Abstractions/DownstreamApi/IBoundAuthorizationHeaderProvider.cs

@@ -1,4 +1,5 @@
 #nullable enable
-Microsoft.Identity.Abstractions.IAuthorizationHeaderProvider2
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider.CreateBoundAuthorizationHeaderAsync(Microsoft.Identity.Abstractions.DownstreamApiOptions! downstreamApiOptions, System.Security.Claims.ClaimsPrincipal? claimsPrincipal = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<Microsoft.Identity.Abstractions.OperationResult<Microsoft.Identity.Abstractions.AuthorizationHeaderInformation!, Microsoft.Identity.Abstractions.AuthorizationHeaderError!>>
 Microsoft.Identity.Abstractions.MicrosoftEntraApplicationOptions.ClientAssertionClaims.get -> System.Collections.Generic.IDictionary<string!, string!>?
 Microsoft.Identity.Abstractions.MicrosoftEntraApplicationOptions.ClientAssertionClaims.set -> void

src/Microsoft.Identity.Abstractions/PublicAPI/net10.0/PublicAPI.Unshipped.txt

@@ -1,4 +1,6 @@
 #nullable enable
-Microsoft.Identity.Abstractions.IAuthorizationHeaderProvider2
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider.CreateBoundAuthorizationHeaderAsync(Microsoft.Identity.Abstractions.DownstreamApiOptions! downstreamApiOptions, System.Security.Claims.ClaimsPrincipal? claimsPrincipal = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<Microsoft.Identity.Abstractions.OperationResult<Microsoft.Identity.Abstractions.AuthorizationHeaderInformation!, Microsoft.Identity.Abstractions.AuthorizationHeaderError!>>
 Microsoft.Identity.Abstractions.MicrosoftEntraApplicationOptions.ClientAssertionClaims.get -> System.Collections.Generic.IDictionary<string!, string!>?
 Microsoft.Identity.Abstractions.MicrosoftEntraApplicationOptions.ClientAssertionClaims.set -> void
+

src/Microsoft.Identity.Abstractions/PublicAPI/net462/PublicAPI.Unshipped.txt

@@ -1,4 +1,5 @@
 #nullable enable
-Microsoft.Identity.Abstractions.IAuthorizationHeaderProvider2
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider.CreateBoundAuthorizationHeaderAsync(Microsoft.Identity.Abstractions.DownstreamApiOptions! downstreamApiOptions, System.Security.Claims.ClaimsPrincipal? claimsPrincipal = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<Microsoft.Identity.Abstractions.OperationResult<Microsoft.Identity.Abstractions.AuthorizationHeaderInformation!, Microsoft.Identity.Abstractions.AuthorizationHeaderError!>>
 Microsoft.Identity.Abstractions.MicrosoftEntraApplicationOptions.ClientAssertionClaims.get -> System.Collections.Generic.IDictionary<string!, string!>?
 Microsoft.Identity.Abstractions.MicrosoftEntraApplicationOptions.ClientAssertionClaims.set -> void

src/Microsoft.Identity.Abstractions/PublicAPI/net8.0/PublicAPI.Unshipped.txt

@@ -1,4 +1,5 @@
 #nullable enable
-Microsoft.Identity.Abstractions.IAuthorizationHeaderProvider2
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider.CreateBoundAuthorizationHeaderAsync(Microsoft.Identity.Abstractions.DownstreamApiOptions! downstreamApiOptions, System.Security.Claims.ClaimsPrincipal? claimsPrincipal = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<Microsoft.Identity.Abstractions.OperationResult<Microsoft.Identity.Abstractions.AuthorizationHeaderInformation!, Microsoft.Identity.Abstractions.AuthorizationHeaderError!>>
 Microsoft.Identity.Abstractions.MicrosoftEntraApplicationOptions.ClientAssertionClaims.get -> System.Collections.Generic.IDictionary<string!, string!>?
 Microsoft.Identity.Abstractions.MicrosoftEntraApplicationOptions.ClientAssertionClaims.set -> void

src/Microsoft.Identity.Abstractions/PublicAPI/net9.0/PublicAPI.Unshipped.txt

@@ -1,4 +1,5 @@
 #nullable enable
-Microsoft.Identity.Abstractions.IAuthorizationHeaderProvider2
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider.CreateBoundAuthorizationHeaderAsync(Microsoft.Identity.Abstractions.DownstreamApiOptions! downstreamApiOptions, System.Security.Claims.ClaimsPrincipal? claimsPrincipal = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<Microsoft.Identity.Abstractions.OperationResult<Microsoft.Identity.Abstractions.AuthorizationHeaderInformation!, Microsoft.Identity.Abstractions.AuthorizationHeaderError!>>
 Microsoft.Identity.Abstractions.MicrosoftEntraApplicationOptions.ClientAssertionClaims.get -> System.Collections.Generic.IDictionary<string!, string!>?
 Microsoft.Identity.Abstractions.MicrosoftEntraApplicationOptions.ClientAssertionClaims.set -> void