microsoft-authentication-library-for-dotnet icon indicating copy to clipboard operation
microsoft-authentication-library-for-dotnet copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

[Feature Request] Enable extensions in the authentication MSAL flow

Open trwalke opened this issue 1 year ago • 1 comments

MSAL client type

Confidential

Problem statement

Certain application would like to extend MSAL's authentication flow to suit their needs.

Proposed solution

Enable the extension of MSAL authentication operations with the implementation of IAuthenticaitonOperation

    public interface IAuthenticationOperation
    {

        int TelemetryTokenType { get; }

        /// <summary>
        /// Prefix for the HTTP header that has the token. E.g. "Bearer" or "POP"
        /// </summary>
        string AuthorizationHeaderPrefix { get; }

        /// <summary>
        /// Extra parameters that are added to the request to the /token endpoint. 
        /// </summary>
        /// <returns>Name and values of params</returns>
        IReadOnlyDictionary<string, string> GetTokenRequestParams();

        /// <summary>
        /// Key ID of the public / private key pair used by the encryption algorithm, if any. 
        /// Tokens obtained by authentication schemes that use this are bound to the KeyId, i.e. 
        /// if a different kid is presented, the access token cannot be used.
        /// </summary>
        string KeyId { get; }

        /// <summary>
        /// Creates the access token that goes into an Authorization HTTP header. 
        /// </summary>
        void FormatResult(AuthenticationResult authenticationResult);

        /// <summary>
        /// Expected to match the token_type parameter returned by ESTS. Used to disambiguate
        /// between ATs of different types (e.g. Bearer and PoP) when loading from cache etc.
        /// </summary>
        string AccessTokenType { get; }
    }

The implementation will be injected into MSAL with the following API:

                MsalAuthenticationExtension cdtExtension = new MsalAuthenticationExtension()
                {
                    OnBeforeTokenRequestHandler = async (data) =>
                    {
                      ...
                    },

                    AuthenticationOperation = new MsalTestAuthenticationOperation(),
                    AdditionalCacheParameters = new[] { "additional_param1", "additional_param2" }
                };

                // Act
                var result = await app.AcquireTokenForClient(TestConstants.s_scope.ToArray())
                    .WithTenantId(TestConstants.Utid)
                    .WithAuthenticationExtension(cdtExtension)
                    .ExecuteAsync()
                    .ConfigureAwait(false);

Alternatives

No response

trwalke avatar Oct 16 '24 01:10 trwalke

Do we have or need a documentation for how to use this extension interface?

For example, in the CDT scenario, the following behaviors would be needed from a client-side SDK, how and where are they addressed by this extension interface?

  1. Tell the token cache to store a req_ds_cnf (or a hash of it) from the token REQUEST, and later use the same value for a cache look-up. Is this achieved by OnBeforeTokenRequestHandler, IAuthenticationOperation.KeyId or GetTokenRequestParams()?
  2. Tell the token cache to store an xms_ds_nonce from the token RESPONSE, and later retrieve it when building a CDT Is this achieved by AdditionalCacheParameters?
  3. Mint a CDT. This is done by IIAuthenticationOperation.FormatResult().

rayluo avatar Oct 19 '24 06:10 rayluo

@trwalke Ok to close this?

gladjohn avatar Oct 22 '24 15:10 gladjohn

I think so, but it isnt going to be used by anyone at the moment except MISE and it is still in preview. @bgavrilMS does it make sense to add public or internal docs for this?

trwalke avatar Oct 22 '24 18:10 trwalke