microsoft-authentication-library-for-dotnet icon indicating copy to clipboard operation
microsoft-authentication-library-for-dotnet copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

[Engineering task] re-enable the use of SHA2 and PSS for creating client credentials from certificate

Open gladjohn opened this issue 10 months ago • 0 comments

Task type

Development

Description

Relates to Issue #4690

Because of a bug in Azure Active Directory (AAD) related to handling JWT tokens signed with certain algorithms, we rolled back the usage of SHA2 and PSS for creating client creds.

This item will track the rollback once AAD fix has been applied

More info here on rollback steps

Solution

revert to using

internal bool IsSha2CredentialSupported =>
    AuthorityType != AuthorityType.Dsts &&
    AuthorityType != AuthorityType.Generic &&
    AuthorityType != AuthorityType.Adfs;

Summary of Changes

Removal of Hardcoded Value: The temporary fix that set IsSha2CredentialSupported to always return false will be removed. This was a workaround implemented to address a specific issue with JWT token signing algorithms not being supported under certain conditions.

Reintroduction of Conditional Logic: The original conditional logic that dynamically determines the value of IsSha2CredentialSupported based on the AuthorityType will be restored. This logic checks if the AuthorityType is not Dsts, Generic, or Adfs. If the AuthorityType is none of these, SHA2 and PSS are considered supported for creating client credentials from a certificate.

gladjohn avatar Apr 02 '24 15:04 gladjohn