Use JsonWebToken type in place of strings for JWTs

Author: mjcheetham

src/shared/Microsoft.AzureRepos.Tests/AzureDevOpsApiTests.cs

@@ -9,8 +9,10 @@
 using System.Threading.Tasks;
 using Microsoft.Git.CredentialManager;
 using Microsoft.Git.CredentialManager.Tests.Objects;
+using Microsoft.IdentityModel.JsonWebTokens;
 using Newtonsoft.Json;
 using Xunit;
+using static Microsoft.Git.CredentialManager.Tests.TestHelpers;
 
 namespace Microsoft.AzureRepos.Tests
 {
@@ -223,7 +225,7 @@ public async Task AzureDevOpsRestApi_CreatePersonalAccessTokenAsync_ReturnsPAT()
             var orgUri = new Uri("https://dev.azure.com/org/");
 
             const string expectedPat = "PERSONAL-ACCESS-TOKEN";
-            const string accessToken = "ACCESS-TOKEN";
+            JsonWebToken accessToken = CreateJwt();
             IEnumerable<string> scopes = new[] {AzureDevOpsConstants.PersonalAccessTokenScopes.ReposWrite};
 
             var identityServiceUri = new Uri("https://identity.example.com/");
@@ -262,7 +264,7 @@ public async Task AzureDevOpsRestApi_CreatePersonalAccessTokenAsync_LocSvcReturn
             var context = new TestCommandContext();
             var orgUri = new Uri("https://dev.azure.com/org/");
 
-            const string accessToken = "ACCESS-TOKEN";
+            JsonWebToken accessToken = CreateJwt();
             IEnumerable<string> scopes = new[] {AzureDevOpsConstants.PersonalAccessTokenScopes.ReposWrite};
 
             var locSvcRequestUri = new Uri(orgUri, ExpectedLocationServicePath);
@@ -282,7 +284,7 @@ public async Task AzureDevOpsRestApi_CreatePersonalAccessTokenAsync_IdentSvcRetu
             var context = new TestCommandContext();
             var orgUri = new Uri("https://dev.azure.com/org/");
 
-            const string accessToken = "ACCESS-TOKEN";
+            JsonWebToken accessToken = CreateJwt();
             IEnumerable<string> scopes = new[] {AzureDevOpsConstants.PersonalAccessTokenScopes.ReposWrite};
 
             var identityServiceUri = new Uri("https://identity.example.com/");
@@ -315,7 +317,7 @@ public async Task AzureDevOpsRestApi_CreatePersonalAccessTokenAsync_IdentSvcRetu
             var context = new TestCommandContext();
             var orgUri = new Uri("https://dev.azure.com/org/");
 
-            const string accessToken = "ACCESS-TOKEN";
+            JsonWebToken accessToken = CreateJwt();
             IEnumerable<string> scopes = new[] {AzureDevOpsConstants.PersonalAccessTokenScopes.ReposWrite};
 
             var identityServiceUri = new Uri("https://identity.example.com/");
@@ -400,12 +402,12 @@ private static void AssertAcceptJson(HttpRequestMessage request)
             Assert.Contains(Constants.Http.MimeTypeJson, acceptMimeTypes);
         }
 
-        private static void AssertBearerToken(HttpRequestMessage request, string bearerToken)
+        private static void AssertBearerToken(HttpRequestMessage request, JsonWebToken bearerToken)
         {
             AuthenticationHeaderValue authHeader = request.Headers.Authorization;
             Assert.NotNull(authHeader);
             Assert.Equal("Bearer", authHeader.Scheme);
-            Assert.Equal(bearerToken, authHeader.Parameter);
+            Assert.Equal(bearerToken.EncodedToken, authHeader.Parameter);
         }
 
         private static HttpResponseMessage CreateLocationServiceResponse(Uri identityServiceUri)

src/shared/Microsoft.AzureRepos.Tests/AzureReposHostProviderTests.cs

@@ -8,6 +8,7 @@
 using Microsoft.Git.CredentialManager.Tests.Objects;
 using Moq;
 using Xunit;
+using static Microsoft.Git.CredentialManager.Tests.TestHelpers;
 
 namespace Microsoft.AzureRepos.Tests
 {
@@ -151,7 +152,7 @@ public async Task AzureReposProvider_GetCredentialAsync_ReturnsCredential()
             var expectedClientId = AzureDevOpsConstants.AadClientId;
             var expectedRedirectUri = AzureDevOpsConstants.AadRedirectUri;
             var expectedResource = AzureDevOpsConstants.AadResourceId;
-            var accessToken = "ACCESS-TOKEN";
+            var accessToken = CreateJwt("john.doe");
             var personalAccessToken = "PERSONAL-ACCESS-TOKEN";
 
             var context = new TestCommandContext();

src/shared/Microsoft.AzureRepos/AzureDevOpsRestApi.cs

@@ -9,13 +9,14 @@
 using System.Text.RegularExpressions;
 using System.Threading.Tasks;
 using Microsoft.Git.CredentialManager;
+using Microsoft.IdentityModel.JsonWebTokens;
 
 namespace Microsoft.AzureRepos
 {
     public interface IAzureDevOpsRestApi : IDisposable
     {
         Task<string> GetAuthorityAsync(Uri organizationUri);
-        Task<string> CreatePersonalAccessTokenAsync(Uri organizationUri, string accessToken, IEnumerable<string> scopes);
+        Task<string> CreatePersonalAccessTokenAsync(Uri organizationUri, JsonWebToken accessToken, IEnumerable<string> scopes);
     }
 
     public class AzureDevOpsRestApi : IAzureDevOpsRestApi
@@ -84,7 +85,7 @@ public async Task<string> GetAuthorityAsync(Uri organizationUri)
             return commonAuthority;
         }
 
-        public async Task<string> CreatePersonalAccessTokenAsync(Uri organizationUri, string accessToken, IEnumerable<string> scopes)
+        public async Task<string> CreatePersonalAccessTokenAsync(Uri organizationUri, JsonWebToken accessToken, IEnumerable<string> scopes)
         {
             const string sessionTokenUrl = "_apis/token/sessiontokens?api-version=1.0&tokentype=compact";
 
@@ -93,7 +94,7 @@ public async Task<string> CreatePersonalAccessTokenAsync(Uri organizationUri, st
             {
                 throw new ArgumentException($"Provided URI '{organizationUri}' is not a valid Azure DevOps hostname", nameof(organizationUri));
             }
-            EnsureArgument.NotNullOrWhiteSpace(accessToken, nameof(accessToken));
+            EnsureArgument.NotNull(accessToken, nameof(accessToken));
 
             _context.Trace.WriteLine("Getting Azure DevOps Identity Service endpoint...");
             Uri identityServiceUri = await GetIdentityServiceUriAsync(organizationUri, accessToken);
@@ -134,7 +135,7 @@ public async Task<string> CreatePersonalAccessTokenAsync(Uri organizationUri, st
 
         #region Private Methods
 
-        private async Task<Uri> GetIdentityServiceUriAsync(Uri organizationUri, string accessToken)
+        private async Task<Uri> GetIdentityServiceUriAsync(Uri organizationUri, JsonWebToken accessToken)
         {
             const string locationServicePath = "_apis/ServiceDefinitions/LocationService2/951917AC-A960-4999-8464-E3F0AA25B381";
             const string locationServiceQuery = "api-version=1.0";
@@ -273,7 +274,7 @@ private static StringContent CreateAccessTokenRequestJson(Uri organizationUri, I
         /// <param name="content">Optional request content.</param>
         /// <param name="bearerToken">Optional bearer token for authorization.</param>
         /// <returns>HTTP request message.</returns>
-        private static HttpRequestMessage CreateRequestMessage(HttpMethod method, Uri uri, HttpContent content = null, string bearerToken = null)
+        private static HttpRequestMessage CreateRequestMessage(HttpMethod method, Uri uri, HttpContent content = null, JsonWebToken bearerToken = null)
         {
             var request = new HttpRequestMessage(method, uri);
 
@@ -282,9 +283,9 @@ private static HttpRequestMessage CreateRequestMessage(HttpMethod method, Uri ur
                 request.Content = content;
             }
 
-            if (!string.IsNullOrWhiteSpace(bearerToken))
+            if (bearerToken != null)
             {
-                request.Headers.Authorization = new AuthenticationHeaderValue(Constants.Http.WwwAuthenticateBearerScheme, bearerToken);
+                request.Headers.Authorization = new AuthenticationHeaderValue(Constants.Http.WwwAuthenticateBearerScheme, bearerToken.EncodedToken);
             }
 
             return request;

src/shared/Microsoft.AzureRepos/AzureReposHostProvider.cs

@@ -5,6 +5,7 @@
 using System.Threading.Tasks;
 using Microsoft.Git.CredentialManager;
 using Microsoft.Git.CredentialManager.Authentication;
+using Microsoft.IdentityModel.JsonWebTokens;
 using KnownGitCfg = Microsoft.Git.CredentialManager.Constants.GitConfiguration;
 
 namespace Microsoft.AzureRepos
@@ -73,13 +74,14 @@ public override async Task<ICredential> GenerateCredentialAsync(InputArguments i
 
             // Get an AAD access token for the Azure DevOps SPS
             Context.Trace.WriteLine("Getting Azure AD access token...");
-            string accessToken = await _msAuth.GetAccessTokenAsync(
+            JsonWebToken accessToken = await _msAuth.GetAccessTokenAsync(
                 authAuthority,
                 AzureDevOpsConstants.AadClientId,
                 AzureDevOpsConstants.AadRedirectUri,
                 AzureDevOpsConstants.AadResourceId,
                 remoteUri);
-            Context.Trace.WriteLineSecrets("Acquired access token. Token='{0}'", new object[] {accessToken});
+            string atUser = accessToken.GetAzureUserName();
+            Context.Trace.WriteLineSecrets($"Acquired Azure access token. User='{atUser}' Token='{{0}}'", new object[] {accessToken.EncodedToken});
 
             // Ask the Azure DevOps instance to create a new PAT
             var patScopes = new[]

src/shared/Microsoft.Git.CredentialManager/Authentication/MicrosoftAuthentication.cs

@@ -5,12 +5,14 @@
 using System.IO;
 using System.Reflection;
 using System.Threading.Tasks;
+using Microsoft.IdentityModel.JsonWebTokens;
 
 namespace Microsoft.Git.CredentialManager.Authentication
 {
     public interface IMicrosoftAuthentication
     {
-        Task<string> GetAccessTokenAsync(string authority, string clientId, Uri redirectUri, string resource, Uri remoteUri);
+        Task<JsonWebToken> GetAccessTokenAsync(string authority, string clientId, Uri redirectUri, string resource,
+            Uri remoteUri);
     }
 
     public class MicrosoftAuthentication : AuthenticationBase, IMicrosoftAuthentication
@@ -25,7 +27,8 @@ public class MicrosoftAuthentication : AuthenticationBase, IMicrosoftAuthenticat
         public MicrosoftAuthentication(ICommandContext context)
             : base(context) {}
 
-        public async Task<string> GetAccessTokenAsync(string authority, string clientId, Uri redirectUri, string resource, Uri remoteUri)
+        public async Task<JsonWebToken> GetAccessTokenAsync(string authority, string clientId, Uri redirectUri,
+            string resource, Uri remoteUri)
         {
             string helperPath = FindHelperExecutablePath();
 
@@ -45,7 +48,7 @@ public async Task<string> GetAccessTokenAsync(string authority, string clientId,
                 throw new Exception("Missing access token in response");
             }
 
-            return accessToken;
+            return new JsonWebToken(accessToken);
         }
 
         private string FindHelperExecutablePath()

src/shared/Microsoft.Git.CredentialManager/JsonWebTokenExtensions.cs

@@ -0,0 +1,33 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT license.
+using System;
+using System.Security.Claims;
+using Microsoft.IdentityModel.JsonWebTokens;
+
+namespace Microsoft.Git.CredentialManager
+{
+    public static class JsonWebTokenExtensions
+    {
+        public static string GetAzureUserName(this JsonWebToken jwt)
+        {
+            string idp = jwt.TryGetClaim("idp", out Claim idpClaim)
+                ? idpClaim.Value.ToLowerInvariant()
+                : null;
+
+            // If the identity provider is AAD (*not* MSA) we should use the UPN claim
+            if (!StringComparer.OrdinalIgnoreCase.Equals(idp, "live.com") &&
+                jwt.TryGetClaim("upn", out Claim upnClaim))
+            {
+                return upnClaim.Value;
+            }
+
+            // For MSA IDPs or if the UPN claim is missing, we should use the 'email' claim
+            if (jwt.TryGetClaim("email", out Claim emailClaim))
+            {
+                return emailClaim.Value;
+            }
+
+            return null;
+        }
+    }
+}

src/shared/Microsoft.Git.CredentialManager/Microsoft.Git.CredentialManager.csproj

@@ -16,6 +16,7 @@
 
   <ItemGroup>
     <PackageReference Include="LibGit2Sharp.NativeBinaries" Version="2.0.278" />
+    <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="5.5.0" />
   </ItemGroup>
 
 </Project>

src/shared/TestInfrastructure/TestHelpers.cs

@@ -0,0 +1,17 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT license.
+using Microsoft.IdentityModel.JsonWebTokens;
+
+namespace Microsoft.Git.CredentialManager.Tests
+{
+    public static class TestHelpers
+    {
+        public static JsonWebToken CreateJwt(string upn = "test")
+        {
+            string header = @"{ 'alg': 'none' }";
+            string payload = $@"{{ 'upn': '{upn}' }}";
+
+            return new JsonWebToken(header, payload);
+        }
+    }
+}

src/windows/Installer.Windows/Setup.iss

@@ -90,3 +90,6 @@ Source: "{#PayloadDir}\Microsoft.AzureRepos.dll";                      DestDir:
 Source: "{#PayloadDir}\Microsoft.Git.CredentialManager.dll";           DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\Microsoft.Identity.Client.dll";                 DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\Microsoft.Identity.Client.Extensions.Msal.dll"; DestDir: "{app}"; Flags: ignoreversion
+Source: "{#PayloadDir}\Microsoft.IdentityModel.JsonWebTokens.dll"; DestDir: "{app}"; Flags: ignoreversion
+Source: "{#PayloadDir}\Microsoft.IdentityModel.Logging.dll"; DestDir: "{app}"; Flags: ignoreversion
+Source: "{#PayloadDir}\Microsoft.IdentityModel.Tokens.dll"; DestDir: "{app}"; Flags: ignoreversion