[draft] sni + mtls #4965
Draft
[draft] sni + mtls #4965
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bgavrilMS
reviewed
Oct 22, 2024
src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Oct 22, 2024
src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs
Show resolved
Hide resolved
bgavrilMS
reviewed
Oct 22, 2024
src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs
Show resolved
Hide resolved
bgavrilMS
reviewed
Oct 22, 2024
src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Oct 22, 2024
| commonParameters.MtlsCertificate = _confidentialClientApplication.Certificate; | ||
| commonParameters.AuthenticationOperation = new MtlsPopAuthenticationOperation(_confidentialClientApplication.Certificate); | ||
| ServiceBundle.Config.ClientCredential = null; | ||
| ServiceBundle.Config.UseMtlsPop = true; |
There was a problem hiding this comment.
Avoid having this as the request level and at the app level.
bgavrilMS
reviewed
Oct 22, 2024
...oft.Identity.Client/ApiConfig/Parameters/AbstractAcquireTokenConfidentialClientParameters.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Oct 22, 2024
| @@ -123,8 +123,9 @@ public string ClientVersion | |||
| public bool IsPublicClient => !IsConfidentialClient && !IsManagedIdentity; | |||
|
|
|||
| public Func<AppTokenProviderParameters, Task<AppTokenProviderResult>> AppTokenProvider; | |||
| public bool UseMtlsPop { get; internal set; } = false; | |||
bgavrilMS
reviewed
Oct 22, 2024
| KeyId = mtlsCert.Thumbprint; | ||
| } | ||
|
|
||
| public int TelemetryTokenType => (int)TokenType.Pop; |
There was a problem hiding this comment.
Pls use a different value here. This one is reserved fro SHR POP
There was a problem hiding this comment.
@gladjohn @bgavrilMS is the mapping maintained in the enum?
bgavrilMS
reviewed
Oct 22, 2024
|
|
||
| public void FormatResult(AuthenticationResult authenticationResult) | ||
| { | ||
| var header = new JObject(); |
bgavrilMS
reviewed
Oct 22, 2024
src/client/Microsoft.Identity.Client/AuthScheme/PoP/MtlsPopAuthenticationOperation.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Oct 22, 2024
src/client/Microsoft.Identity.Client/AuthScheme/PoP/MtlsPopAuthenticationOperation.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Oct 22, 2024
| @@ -14,6 +14,7 @@ internal class RegionDiscoveryProvider : IRegionDiscoveryProvider | |||
| { | |||
| private readonly IRegionManager _regionManager; | |||
| public const string PublicEnvForRegional = "login.microsoft.com"; | |||
| public const string PublicEnvForMtls = "mtlsauth.microsoft.com"; | |||
There was a problem hiding this comment.
I recommend you rename this to RegionAndMtlsProvider
There was a problem hiding this comment.
@bgavrilMS but the region is not included in the const?
bgavrilMS
reviewed
Oct 22, 2024
| if (requestContext.ServiceBundle.Config.UseMtlsPop) | ||
| { | ||
| requestContext.Logger.Info(() => $"[Region discovery] Using MTLS public endpoint: {PublicEnvForMtls}"); | ||
| return $"{region}.{PublicEnvForMtls}"; |
There was a problem hiding this comment.
This is wrong for non public cloud.
bgavrilMS
reviewed
Oct 22, 2024
| string host = authority.Host; | ||
|
|
||
| if (requestContext.ServiceBundle.Config.UseMtlsPop) |
There was a problem hiding this comment.
What about the case of non-regional + mtls POP config? Do we want to support this or just error out?
bgavrilMS
reviewed
Oct 22, 2024
| { | ||
| var dict = new Dictionary<string, string> | ||
| { | ||
| [OAuth2Parameter.GrantType] = OAuth2GrantType.ClientCredentials, | ||
| [OAuth2Parameter.Scope] = AuthenticationRequestParameters.Scope.AsSingleString() | ||
| }; | ||
|
|
||
| // Only add TokenType if useMtlsPop is true | ||
| if (useMtlsPop) |
There was a problem hiding this comment.
It's better to do this in MtlsPopAuthenticationOperation.cs
bgavrilMS
reviewed
Oct 22, 2024
| internal static class RequestTokenType | ||
| { | ||
| public const string Bearer = "bearer"; | ||
| public const string MTLSPop = "mtls_pop"; |
There was a problem hiding this comment.
Pls consolidate with SHR POP.
bgavrilMS
reviewed
Oct 22, 2024
...s/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ClientCredentialsTests.NetFwk.cs
Outdated
Show resolved
Hide resolved
bgavrilMS
reviewed
Oct 22, 2024
...s/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ClientCredentialsTests.NetFwk.cs
Outdated
Show resolved
Hide resolved
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
initial draft to see if e2e integ can make it through, it does and fail with an expected error.
to-do ; unit tests, finalize public api names, verify token caching, add integ tests