microsoft-authentication-library-for-dotnet icon indicating copy to clipboard operation
microsoft-authentication-library-for-dotnet copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

[Bug] When will Proof of Possession be released?

Open sameerkapps opened this issue 11 months ago • 2 comments

Library version used

4.54.0

.NET version

N/A

Scenario

ConfidentialClient - service to service (AcquireTokenForClient)

Is this a new or an existing app?

None

Issue description and reproduction steps

Doc says that Pop token is experimental for confidential clients. Is the doc correct? If so, is when do you plan to remove it as experimental feature?

Relevant code snippets

No response

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

sameerkapps avatar Mar 15 '24 14:03 sameerkapps

Hi @sameerkapps - long time :)

We are looking into a different approach for POP for confidential client, based on MTLS, because it's faster.

I think the version of POP that is already out there as experimental is ok from security perspective and we will keep it (maybe we'll rename the API at some point).

Note that we don't have token validators for POP tokens, so if you need to protect your own web api, you'll have to customize token validation to handle these tokens. Microsoft APIs are adopting this.

bgavrilMS avatar Mar 19 '24 12:03 bgavrilMS

Thanks. We cannot use experimental api in the production code. So we will use the non-pop token. But still using the product. 😀

sameerkapps avatar Mar 20 '24 16:03 sameerkapps