Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal to enable MISE with SAL compatibility with Microsoft.Identity.Web #1483

Closed
wants to merge 1 commit into from
Closed

Proposal to enable MISE with SAL compatibility with Microsoft.Identity.Web #1483

wants to merge 1 commit into from

Conversation

jmprieur
Copy link
Collaborator

@jmprieur jmprieur commented Oct 11, 2021
edited
Loading

@jennyf19
This is an initial proposal, in order to trying things out and prototype APIs on the MISE side
this is just to open the discussion, but nothing definitive and plenty of work to do

@jmprieur jmprieur requested a review from jennyf19 October 11, 2021 01:52
jmprieur
jmprieur commented Oct 11, 2021
View reviewed changes
src/Microsoft.Identity.Web/HttpContextExtensions.cs
@@ -28,12 +29,12 @@ internal static void StoreTokenUsedToCallWebAPI(this HttpContext httpContext, Jw
/// </summary>
/// <param name="httpContext">HTTP context associated with the current request.</param>
/// <returns><see cref="JwtSecurityToken"/> used to call the web API.</returns>
internal static JwtSecurityToken? GetTokenUsedToCallWebAPI(this HttpContext httpContext)
internal static SecurityToken? GetTokenUsedToCallWebAPI(this HttpContext httpContext)
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JwtBearer generates a JwtSecurityToken, whereas SAL generates a JsonWebToken (new generation that does not depend on NewtonSoft).
In order for Microsoft.Identity.Web to support both, we now return the base class (SecurityToken)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will also allow other token types.

jmprieur
jmprieur commented Oct 11, 2021
View reviewed changes
src/Microsoft.Identity.Web/MergedOptions.cs
@@ -13,7 +13,7 @@ namespace Microsoft.Identity.Web
/// Options for configuring authentication using Azure Active Directory. It has both AAD and B2C configuration attributes.
/// Merges the MicrosoftIdentityWebOptions and the ConfidentialClientApplicationOptions.
/// </summary>
internal class MergedOptions : MicrosoftIdentityOptions
public class MergedOptions : MicrosoftIdentityOptions
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MergedOptions needs to be exposed in the MISE extension for Id.Web.
Alternatively have a friend assembly, but I think we said we prefer not too (for breaking changes)

jmprieur
jmprieur commented Oct 11, 2021
View reviewed changes
src/Microsoft.Identity.Web/MergedOptions.cs
@@ -252,7 +252,7 @@ internal static void UpdateMergedOptionsFromMicrosoftIdentityOptions(MicrosoftId
}
}

internal static void UpdateMergedOptionsFromConfidentialClientApplicationOptions(ConfidentialClientApplicationOptions confidentialClientApplicationOptions, MergedOptions mergedOptions)
public static void UpdateMergedOptionsFromConfidentialClientApplicationOptions(ConfidentialClientApplicationOptions confidentialClientApplicationOptions, MergedOptions mergedOptions)
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs to be called in the Mise extension for Id.Web

jmprieur
jmprieur commented Oct 11, 2021
View reviewed changes
src/Microsoft.Identity.Web/TokenAcquisition.cs
@@ -251,6 +253,12 @@ internal MergedOptions GetOptions(string authenticationScheme)
authenticationScheme = GetEffectiveAuthenticationScheme(authenticationScheme);
MergedOptions mergedOptions = GetOptions(authenticationScheme);

if (string.IsNullOrEmpty(mergedOptions.Instance))
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Like what was done in GetAuthenticationResultForApp in the case of anonymous controllers

jmprieur
jmprieur commented Oct 11, 2021
View reviewed changes
src/Microsoft.Identity.Web/TokenAcquisition.cs
@@ -767,15 +775,12 @@ private IConfidentialClientApplication BuildConfidentialClientApplication(Merged
try
{
// In web API, validatedToken will not be null
JwtSecurityToken? validatedToken = CurrentHttpContext?.GetTokenUsedToCallWebAPI();
SecurityToken? validatedToken = CurrentHttpContext?.GetTokenUsedToCallWebAPI();
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Jwt returns a JwtToken, whereas SAL returns a JsonWebToken. Now providing the base class and a new method that tries both

jmprieur
jmprieur commented Oct 11, 2021
View reviewed changes
src/Microsoft.Identity.Web/TokenAcquisition.cs
@@ -817,6 +822,26 @@ private IConfidentialClientApplication BuildConfidentialClientApplication(Merged
}
}

private static string? GetActualToken(SecurityToken? validatedToken)
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New method that returns the token to use for OBO:

  • whether it's an encrypted token or not
  • whether its a JwtSecurityToken or a JsonWebToken.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do we handle RPS (MSA tickets)?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Today, this is not handled. What do you suggest, @brentschmaltz ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jmprieur i suggest that long term, id.web uses SAL for creating all inbound / outbound requests.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@brentschmaltz Today, SAL is 1P. We wouldn't be able to use in a 3P library.

@jmprieur jmprieur changed the title Proposal to make the MISE with SAL compatible with Microsoft.Identity.Web Proposal to enable MISE with SAL compatibility with Microsoft.Identity.Web Oct 11, 2021
@jmprieur jmprieur marked this pull request as draft October 11, 2021 02:10
@sonarqubecloud
Copy link

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 35 Code Smells

55.0% 55.0% Coverage
0.0% 0.0% Duplication

jennyf19 added a commit that referenced this pull request Oct 18, 2021
@jennyf19
take JM's PR #1483
f3a15fe
jennyf19 added a commit that referenced this pull request Oct 18, 2021
@jennyf19
take JM's PR #1483 (#1492)
8a466b3
jennyf19 added a commit that referenced this pull request Oct 18, 2021
@jennyf19
add special builder, not reliant on jwt (#1491)
9557370 
* add auth builder for token acqusition

* update XML

* update comment

* take JM's PR #1483 (#1492)

* PR feedback
@jennyf19
Copy link
Collaborator

work is complete. closing this POC>

@jennyf19 jennyf19 closed this Dec 31, 2021
@jmprieur jmprieur deleted the jmprieur/miseIntegrationProposal branch January 4, 2022 19:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brentschmaltz brentschmaltz brentschmaltz left review comments

@jennyf19 jennyf19 Awaiting requested review from jennyf19

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jmprieur @jennyf19 @brentschmaltz