Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Request] Enable extensions in the authentication MSAL flow #4956

Open
trwalke opened this issue Oct 16, 2024 · 3 comments
Open

[Feature Request] Enable extensions in the authentication MSAL flow #4956

trwalke opened this issue Oct 16, 2024 · 3 comments

Comments

@trwalke
Copy link
Member

trwalke commented Oct 16, 2024

MSAL client type

Confidential

Problem statement

Certain application would like to extend MSAL's authentication flow to suit their needs.

Proposed solution

Enable the extension of MSAL authentication operations with the implementation of IAuthenticaitonOperation

    public interface IAuthenticationOperation
    {

        int TelemetryTokenType { get; }

        /// <summary>
        /// Prefix for the HTTP header that has the token. E.g. "Bearer" or "POP"
        /// </summary>
        string AuthorizationHeaderPrefix { get; }

        /// <summary>
        /// Extra parameters that are added to the request to the /token endpoint. 
        /// </summary>
        /// <returns>Name and values of params</returns>
        IReadOnlyDictionary<string, string> GetTokenRequestParams();

        /// <summary>
        /// Key ID of the public / private key pair used by the encryption algorithm, if any. 
        /// Tokens obtained by authentication schemes that use this are bound to the KeyId, i.e. 
        /// if a different kid is presented, the access token cannot be used.
        /// </summary>
        string KeyId { get; }

        /// <summary>
        /// Creates the access token that goes into an Authorization HTTP header. 
        /// </summary>
        void FormatResult(AuthenticationResult authenticationResult);

        /// <summary>
        /// Expected to match the token_type parameter returned by ESTS. Used to disambiguate
        /// between ATs of different types (e.g. Bearer and PoP) when loading from cache etc.
        /// </summary>
        string AccessTokenType { get; }
    }

The implementation will be injected into MSAL with the following API:

                MsalAuthenticationExtension cdtExtension = new MsalAuthenticationExtension()
                {
                    OnBeforeTokenRequestHandler = async (data) =>
                    {
                      ...
                    },

                    AuthenticationOperation = new MsalTestAuthenticationOperation(),
                    AdditionalCacheParameters = new[] { "additional_param1", "additional_param2" }
                };

                // Act
                var result = await app.AcquireTokenForClient(TestConstants.s_scope.ToArray())
                    .WithTenantId(TestConstants.Utid)
                    .WithAuthenticationExtension(cdtExtension)
                    .ExecuteAsync()
                    .ConfigureAwait(false);

Alternatives

No response

@trwalke trwalke added untriaged Do not delete. Needed for Automation needs attention Delete label after triage confidential-client extensibility and removed untriaged Do not delete. Needed for Automation needs attention Delete label after triage labels Oct 16, 2024
@gladjohn gladjohn moved this from Committed to In Progress in MSAL Customer Trust / QM Oct 18, 2024
@rayluo
Copy link
Contributor

rayluo commented Oct 19, 2024

Do we have or need a documentation for how to use this extension interface?

For example, in the CDT scenario, the following behaviors would be needed from a client-side SDK, how and where are they addressed by this extension interface?

  1. Tell the token cache to store a req_ds_cnf (or a hash of it) from the token REQUEST, and later use the same value for a cache look-up.
    Is this achieved by OnBeforeTokenRequestHandler, IAuthenticationOperation.KeyId or GetTokenRequestParams()?
  2. Tell the token cache to store an xms_ds_nonce from the token RESPONSE, and later retrieve it when building a CDT
    Is this achieved by AdditionalCacheParameters?
  3. Mint a CDT. This is done by IIAuthenticationOperation.FormatResult().

@gladjohn gladjohn moved this from In Progress to Done in MSAL Customer Trust / QM Oct 22, 2024
@gladjohn
Copy link
Contributor

@trwalke Ok to close this?

@trwalke
Copy link
Member Author

trwalke commented Oct 22, 2024

I think so, but it isnt going to be used by anyone at the moment except MISE and it is still in preview. @bgavrilMS does it make sense to add public or internal docs for this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Done
Development

No branches or pull requests

3 participants