private void AddBodyParamsAndHeaders(IDictionary <string, string> additionalBodyParameters, string scopes)
{
_oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientId, _requestParams.AppConfig.ClientId);
_oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientInfo, "1");
if (_requestParams.ClientCredential != null)
{
Dictionary <string, string> ccBodyParameters = ClientCredentialHelper.CreateClientCredentialBodyParameters(
_requestParams.RequestContext.Logger,
_serviceBundle.PlatformProxy.CryptographyManager,
_requestParams.ClientCredential,
_requestParams.AppConfig.ClientId,
_requestParams.Endpoints,
_requestParams.SendX5C);
foreach (var entry in ccBodyParameters)
{
_oAuth2Client.AddBodyParameter(entry.Key, entry.Value);
}
}
_oAuth2Client.AddBodyParameter(OAuth2Parameter.Scope, scopes);
_oAuth2Client.AddBodyParameter(OAuth2Parameter.Claims, _requestParams.ClaimsAndClientCapabilities);
foreach (var kvp in additionalBodyParameters)
{
_oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value);
}
foreach (var kvp in _requestParams.AuthenticationScheme.GetTokenRequestParams())
{
_oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value);
}
_oAuth2Client.AddHeader(
TelemetryConstants.XClientCurrentTelemetry,
_serviceBundle.HttpTelemetryManager.GetCurrentRequestHeader(
_requestParams.RequestContext.ApiEvent));
if (!_requestInProgress)
{
_requestInProgress = true;
_oAuth2Client.AddHeader(
TelemetryConstants.XClientLastTelemetry,
_serviceBundle.HttpTelemetryManager.GetLastRequestHeader());
}
//Signaling that the client can perform PKey Auth on supported platforms
if (DeviceAuthHelper.CanOSPerformPKeyAuth())
{
_oAuth2Client.AddHeader(PKeyAuthConstants.DeviceAuthHeaderName, PKeyAuthConstants.DeviceAuthHeaderValue);
}
}
private void AddBodyParamsAndHeaders(IDictionary <string, string> additionalBodyParameters, string scopes)
{
_oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientId, _requestParams.ClientId);
_oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientInfo, "1");
#if DESKTOP || NETSTANDARD1_3 || NET_CORE
if (_requestParams.ClientCredential != null)
{
Dictionary <string, string> ccBodyParameters = ClientCredentialHelper.CreateClientCredentialBodyParameters(
_requestParams.RequestContext.Logger,
_serviceBundle.PlatformProxy.CryptographyManager,
_requestParams.ClientCredential,
_requestParams.ClientId,
_requestParams.Endpoints,
_requestParams.SendX5C);
foreach (var entry in ccBodyParameters)
{
_oAuth2Client.AddBodyParameter(entry.Key, entry.Value);
}
}
#endif
_oAuth2Client.AddBodyParameter(OAuth2Parameter.Scope, scopes);
_oAuth2Client.AddBodyParameter(OAuth2Parameter.Claims, _requestParams.ClaimsAndClientCapabilities);
foreach (var kvp in additionalBodyParameters)
{
_oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value);
}
foreach (var kvp in _requestParams.AuthenticationScheme.GetTokenRequestParams())
{
_oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value);
}
_oAuth2Client.AddHeader(
TelemetryConstants.XClientCurrentTelemetry,
_serviceBundle.HttpTelemetryManager.GetCurrentRequestHeader(
_requestParams.RequestContext.ApiEvent));
if (!_requestInProgress)
{
_requestInProgress = true;
_oAuth2Client.AddHeader(
TelemetryConstants.XClientLastTelemetry,
_serviceBundle.HttpTelemetryManager.GetLastRequestHeader());
}
}
public void ClientAssertionRequestValidatorExpirationTimeTest()
{
var credential = ClientCredentialWrapper.CreateWithSecret(TestConstants.ClientSecret);
credential.Audience = _audience1;
credential.ContainsX5C = false;
credential.CachedAssertion = TestConstants.DefaultClientAssertion;
credential.ValidTo = ConvertToTimeT(DateTime.UtcNow + TimeSpan.FromSeconds(JwtToAadLifetimeInSeconds));
// Validate cached client assertion with expiration time
// Cached assertion should be valid
Assert.IsTrue(ClientCredentialHelper.ValidateClientAssertion(credential, _audience1, false));
// Setting expiration time to now
credential.ValidTo = ConvertToTimeT(DateTime.UtcNow);
// cached assertion should have expired
Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, _audience1, false));
}
public void ClientAssertionRequestValidatorExpirationTimeTest()
{
var credential = new ClientCredentialWrapper(MsalTestConstants.ClientSecret)
{
Audience = "Audience1",
ContainsX5C = false,
Assertion = MsalTestConstants.DefaultClientAssertion,
ValidTo = ConvertToTimeT(DateTime.UtcNow + TimeSpan.FromSeconds(JwtToAadLifetimeInSeconds))
};
// Validate cached client assertion with expiration time
// Cached assertion should be valid
Assert.IsTrue(ClientCredentialHelper.ValidateClientAssertion(credential, new AuthorityEndpoints(null, null, "Audience1"), false));
// Setting expiration time to now
credential.ValidTo = ConvertToTimeT(DateTime.UtcNow);
// cached assertion should have expired
Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, new AuthorityEndpoints(null, null, "Audience1"), false));
}
public void ClientAssertionRequestValidatorMismatchParameterTest()
{
string Audience1 = "Audience1";
string Audience2 = "Audience2";
var credential = new ClientCredentialWrapper(MsalTestConstants.ClientSecret)
{
Audience = Audience1,
ContainsX5C = false,
Assertion = MsalTestConstants.DefaultClientAssertion,
ValidTo = ConvertToTimeT(DateTime.UtcNow + TimeSpan.FromSeconds(JwtToAadLifetimeInSeconds))
};
// Validate cached client assertion with parameters
Assert.IsTrue(ClientCredentialHelper.ValidateClientAssertion(credential, new AuthorityEndpoints(null, null, Audience1), false));
// Different audience
credential.Audience = Audience2;
// cached assertion should be invalid
Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, new AuthorityEndpoints(null, null, Audience1), false));
// Different x5c, same audience
credential.Audience = Audience1;
credential.ContainsX5C = true;
// cached assertion should be invalid
Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, new AuthorityEndpoints(null, null, Audience1), false));
// Different audience and x5c
credential.Audience = Audience2;
// cached assertion should be invalid
Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, new AuthorityEndpoints(null, null, Audience1), false));
// No cached Assertion
credential.Assertion = "";
// should return false
Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, new AuthorityEndpoints(null, null, Audience1), false));
}
public void ClientAssertionRequestValidatorMismatchParameterTest()
{
var credential = ClientCredentialWrapper.CreateWithSecret(TestConstants.ClientSecret);
credential.Audience = _audience1;
credential.ContainsX5C = false;
credential.CachedAssertion = TestConstants.DefaultClientAssertion;
credential.ValidTo = ConvertToTimeT(DateTime.UtcNow + TimeSpan.FromSeconds(JwtToAadLifetimeInSeconds));
// Validate cached client assertion with parameters
Assert.IsTrue(ClientCredentialHelper.ValidateClientAssertion(credential, _audience1, false));
// Different audience
credential.Audience = _audience2;
// cached assertion should be invalid
Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, _audience1, false));
// Different x5c, same audience
credential.Audience = _audience1;
credential.ContainsX5C = true;
// cached assertion should be invalid
Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, _audience1, false));
// Different audience and x5c
credential.Audience = _audience2;
// cached assertion should be invalid
Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, _audience1, false));
// No cached Assertion
credential.CachedAssertion = "";
// should return false
Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, _audience1, false));
}
private void AddBodyParamsAndHeaders(IDictionary <string, string> additionalBodyParameters, string scopes)
{
_oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientId, _requestParams.AppConfig.ClientId);
_oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientInfo, "1");
if (_requestParams.ClientCredential != null)
{
Dictionary <string, string> ccBodyParameters = ClientCredentialHelper.CreateClientCredentialBodyParameters(
_requestParams.RequestContext.Logger,
_serviceBundle.PlatformProxy.CryptographyManager,
_requestParams.ClientCredential,
_requestParams.AppConfig.ClientId,
_requestParams.Endpoints,
_requestParams.SendX5C);
foreach (var entry in ccBodyParameters)
{
_oAuth2Client.AddBodyParameter(entry.Key, entry.Value);
}
}
_oAuth2Client.AddBodyParameter(OAuth2Parameter.Scope, scopes);
// Add Kerberos Ticket claims if there's valid service principal name in Configuration.
// Kerberos Ticket claim is only allowed at token request due to security issue.
// It should not be included for authorize request.
KerberosSupplementalTicketManager.AddKerberosTicketClaim(_oAuth2Client, _requestParams);
foreach (var kvp in additionalBodyParameters)
{
_oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value);
}
foreach (var kvp in _requestParams.AuthenticationScheme.GetTokenRequestParams())
{
_oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value);
}
_oAuth2Client.AddHeader(
TelemetryConstants.XClientCurrentTelemetry,
_serviceBundle.HttpTelemetryManager.GetCurrentRequestHeader(
_requestParams.RequestContext.ApiEvent));
if (!_requestInProgress)
{
_requestInProgress = true;
_oAuth2Client.AddHeader(
TelemetryConstants.XClientLastTelemetry,
_serviceBundle.HttpTelemetryManager.GetLastRequestHeader());
}
//Signaling that the client can perform PKey Auth on supported platforms
if (DeviceAuthHelper.CanOSPerformPKeyAuth())
{
_oAuth2Client.AddHeader(PKeyAuthConstants.DeviceAuthHeaderName, PKeyAuthConstants.DeviceAuthHeaderValue);
}
AddExtraHttpHeaders();
}
public async Task <MsalTokenResponse> SendTokenRequestAsync(
IDictionary <string, string> additionalBodyParameters,
string scopeOverride = null,
string tokenEndpointOverride = null,
CancellationToken cancellationToken = default)
{
string tokenEndpoint = tokenEndpointOverride ?? _requestParams.Endpoints.TokenEndpoint;
string scopes = !string.IsNullOrEmpty(scopeOverride) ? scopeOverride: GetDefaultScopes(_requestParams.Scope);
_oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientId, _requestParams.ClientId);
_oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientInfo, "1");
#if DESKTOP || NETSTANDARD1_3 || NET_CORE
if (_requestParams.ClientCredential != null)
{
Dictionary <string, string> ccBodyParameters = ClientCredentialHelper.CreateClientCredentialBodyParameters(
_requestParams.RequestContext.Logger,
_serviceBundle.PlatformProxy.CryptographyManager,
_requestParams.ClientCredential,
_requestParams.ClientId,
_requestParams.Endpoints,
_requestParams.SendX5C);
foreach (var entry in ccBodyParameters)
{
_oAuth2Client.AddBodyParameter(entry.Key, entry.Value);
}
}
#endif
_oAuth2Client.AddBodyParameter(OAuth2Parameter.Scope, scopes);
_oAuth2Client.AddBodyParameter(OAuth2Parameter.Claims, _requestParams.ClaimsAndClientCapabilities);
foreach (var kvp in additionalBodyParameters)
{
_oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value);
}
foreach (var kvp in _requestParams.AuthenticationScheme.GetTokenRequestParams())
{
_oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value);
}
MsalTokenResponse response = await SendHttpMessageAsync(tokenEndpoint)
.ConfigureAwait(false);
if (!string.Equals(
response.TokenType,
_requestParams.AuthenticationScheme.AccessTokenType,
StringComparison.OrdinalIgnoreCase))
{
throw new MsalClientException(
MsalError.TokenTypeMismatch,
MsalErrorMessage.TokenTypeMismatch(
_requestParams.AuthenticationScheme.AccessTokenType,
response.TokenType));
}
return(response);
}
