microsoft-identity-web
microsoft-identity-web copied to clipboard
Microsoft.Identity.Web.TokenAcquisition needs to support getting Pop and MSAuth1.0AT Pop tokens
Why?
ITokenAcquirer can support any token type. There are really 2 token types, which are then organized in the protocols bearer Pop, with 2 flavors: MsAuth1.0ATPop (which Bogdan names legacy Pop below) and Pop (which Bogdan names new Pop)
What?
AcquireTokenOptions
has a member PopPublicKey which contains a metadata representation of the key.
TokenAcquisition
needs to use this member to call MSAL depending on the key.
Work to plan
- [x] Add PopPublickKey to TokenAcquisitionOptions
- [x] In TokenAcquisition, if PopPublickKey is used, pass-it to MSAL as described below.
How to pass the PopPublicKey
Copied from an email from Bogdan (attached in Product Backlog Item 1963642: Microsoft.Identity.Web.TokenAcquisition supports getting Pop and MSAuth1.0AT Pop tokens)
New POP (Pop)
Summary: a metadata representation of the key is sufficient.
Details:
- jwk = json representation of the public key, standardized format
- base64EncodedJwk = base64_url_encode(jwk)
- reqCnf = base64_url_encode "{{""kid"":""{base64EncodedJwk}""}}";
The reqCnf
is put on the wire, along with the client assertion.
Legacy POP (MSAuth1.0 AT Pop)
Summary: a metadata representation of the key is also sufficient
Details:
- Create a signed JWT assertion which includes:
- algorithm, key id, x5c (optional)
- the typical client assertion claims (iss, aud, sub etc.) AND a pop_jwk which includes the JWK, algorithm and keyid
- all of it is SIGNED with the client certificate KEY (not with the POP key)
Work paused until this is released in MSAL.NET: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/3597