/// <summary>
/// Creates POP tokens, i.e. tokens that are bound to an HTTP request and are digitally signed.
/// </summary>
/// <remarks>
/// Currently the signing credential algorithm is hard-coded to RSA with SHA256. Extensibility should be done
/// by integrating Wilson's SigningCredentials
/// </remarks>
public PoPAuthenticationScheme(HttpRequestMessage httpRequestMessage, IPoPCryptoProvider popCryptoProvider)
{
_httpRequestMessage = httpRequestMessage ?? throw new ArgumentNullException(nameof(httpRequestMessage));
_popCryptoProvider = popCryptoProvider ?? throw new ArgumentNullException(nameof(popCryptoProvider));
_keyThumbprint = ComputeRsaThumbprint(_popCryptoProvider.CannonicalPublicKeyJwk);
KeyId = Base64UrlHelpers.Encode(_keyThumbprint);
}
private static void AssertSingedHttpRequestClaims(IPoPCryptoProvider popCryptoProvider, System.Security.Claims.ClaimsPrincipal claims)
{
Assert.AreEqual("GET", claims.FindAll("m").Single().Value);
Assert.AreEqual("www.contoso.com", claims.FindAll("u").Single().Value);
Assert.AreEqual("/path1/path2", claims.FindAll("p").Single().Value);
AssertTsAndJwkClaims(popCryptoProvider, claims);
}
private static void AssertTsAndJwkClaims(IPoPCryptoProvider popCryptoProvider, System.Security.Claims.ClaimsPrincipal claims)
{
long ts = long.Parse(claims.FindAll("ts").Single().Value);
CoreAssert.IsWithinRange(DateTimeOffset.UtcNow, DateTimeHelpers.UnixTimestampToDateTime(ts), TimeSpan.FromSeconds(5));
string jwkClaim = claims.FindAll("cnf").Single().Value;
JToken publicKey = JToken.Parse(popCryptoProvider.CannonicalPublicKeyJwk);
JObject jwkInConfig = new JObject(new JProperty(PoPClaimTypes.JWK, publicKey));
var jwkInToken = JObject.Parse(jwkClaim);
Assert.IsTrue(JObject.DeepEquals(jwkInConfig, jwkInToken));
}
/// <summary>
/// Creates POP tokens, i.e. tokens that are bound to an HTTP request and are digitally signed.
/// </summary>
/// <remarks>
/// Currently the signing credential algorithm is hard-coded to RSA with SHA256. Extensibility should be done
/// by integrating Wilson's SigningCredentials
/// </remarks>
public PopAuthenticationScheme(PoPAuthenticationConfiguration popAuthenticationConfiguration, IServiceBundle serviceBundle)
{
if (serviceBundle == null)
{
throw new ArgumentNullException(nameof(serviceBundle));
}
_popAuthenticationConfiguration = popAuthenticationConfiguration ?? throw new ArgumentNullException(nameof(popAuthenticationConfiguration));
_popCryptoProvider = _popAuthenticationConfiguration.PopCryptoProvider ?? serviceBundle.PlatformProxy.GetDefaultPoPCryptoProvider();
var keyThumbprint = ComputeThumbprint(_popCryptoProvider.CannonicalPublicKeyJwk);
KeyId = Base64UrlHelpers.Encode(keyThumbprint);
}
// Allows testing the PoP flow with any crypto. Consider making this public.
internal T WithProofOfPosession(HttpRequestMessage httpRequestMessage, IPoPCryptoProvider popCryptoProvider)
{
if (!ServiceBundle.Config.ExperimentalFeaturesEnabled)
{
throw new MsalClientException(
MsalError.ExperimentalFeature,
MsalErrorMessage.ExperimentalFeature(nameof(WithProofOfPosession)));
}
if (httpRequestMessage is null)
{
throw new ArgumentNullException(nameof(httpRequestMessage));
}
if (popCryptoProvider == null)
{
throw new ArgumentNullException(nameof(popCryptoProvider));
}
CommonParameters.AddApiTelemetryFeature(ApiTelemetryFeature.WithPoPScheme);
CommonParameters.AuthenticationScheme = new PoPAuthenticationScheme(httpRequestMessage, popCryptoProvider);
return(this as T);
}
