-
Notifications
You must be signed in to change notification settings - Fork 340
WWW Authenticate parameters
Sometimes, you call a web API without begin authenticated with the intension to get the parameters that you'll need to use to authenticate the user (for instance the authority and the scopes). This is done, for APIs that support it, by replying with a WWW-Authenticate header.
There are also scenarios where a web API needs more claims from the user. But given web APIs don't have UI interaction, it needs to propagate back the request to the client, again with information in a WWW-Authenticate header.
Some web APIs, when called unauthenticated, send back an HTTP 401 (Unauthenticated) with a wwwAuthenticate header. Note that this is not a response from Azure AD, but really from a web API that the client app would call without authentication or with the wrong authentication.
For instance:
- if you navigate, in your browser, to https://graph.microsoft.com/v1.0/me, you'll get an HTTP 401 (Unauthorized) error, but the wwwAuthenticate header will tell you: get a token using this IdP (defined by its authorize endpoint URI), for this resource (Graph):
HTTP 401; Unauthorized WWW-Authenticate: Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000" - if you navigate to
https://yourVault.vault.azure.net/secrets/CertName/CertVersion, you'll get a wwwAuthenticate header like the following:HTTP 401; Unauthorized WWW-Authenticate: Bearer authorization="https://login.windows.net/yourTenantId", resource="https://vault.azure.net"
Continuous access evaluation enabled web APIs also send a wwwAuthenticate header when more claims are needed. For details see How to use Continuous Access Evaluation enabled APIs in your applications. The wwwAuthenticate header will have the following form:
HTTP 401; Unauthorized
WWW-Authenticate=Bearer
authorization_uri="https://login.windows.net/common/oauth2/authorize",
error="insufficient_claims",
claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwgInZhbHVlIjoiMTYwNDEwNjY1MSJ9fX0="
The way the client application processes it is, when the error is "insufficient_claims", it extract the claims, property and if it's not already a Json blob, convert it from Base64 (if it's already a json blob, it uses it as is). Then this claims is used with .WithClaims() in MSAL.NET
CA auth context relies on web APIs sending back a wwwAuthenticate header. For details about CA auth context see:
- Developers’ guide to Conditional Access authentication context
- Code sample to use CA Auth context in a web API
- Recorded session: Use Conditional Access Auth Context in your app for step-up authentication – May 2021
The wwwAuthenticate header returned by CA auth context is similar to the one returned by CAE enabled web APIs:
HTTP 401; Unauthorized
WWW-Authenticate=Bearer
client_id="guid of the resource"
authorization_uri="https://login.windows.net/common/oauth2/authorize",
error="insufficient_claims",
claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwgInZhbHVlIjoiMTYwNDEwNjY1MSJ9fX0="
The processing will be the same.
Microsoft.Identity.web can send, a wwwAuthenticate header through one of the overrides of the ITokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeader method.
It sends non-standard parameters:
- consent Url, in order to help multi-tenant web API developers to provide a link so that the tenant users or admins can consent for the web API to be installed in their tenant.
- claims (in the case of claims challenge)
- scopes for the required scopes. This might not be great.
- proposedAction ("consent")
For the first scenario, you just call WwwAuthenticateParameters.CreateFromResourceResponse passing the URI of the web API.
WwwAuthenticateParameters parameters = await WwwAuthenticateParameters.CreateFromResourceResponse("https://yourVault.vault.azure.net/secrets/CertName/CertVersion");
IConfidentialClientApplication app = ConfidentialClientApplication.Create(clientId)
.WithAuthority(parameters.Authority)
.BuildAsync();
IAuthenticaiton result = await app.AcquireTokenForApp(parameters.scopes)
.WithClaims(parameters.Claims)
.ExecuteAsync();the spec is available in issue Help producing elements from wwwAuthenticate header returned by web APIs. #2679
- Home
- Why use MSAL.NET
- Is MSAL.NET right for me
- Scenarios
- Register your app with AAD
- Client applications
- Acquiring tokens
- MSAL samples
- Known Issues
- AcquireTokenInteractive
- WAM - the Windows broker
- .NET Core
- Xamarin Docs
- UWP
- Custom Browser
- Applying an AAD B2C policy
- Integrated Windows Authentication for domain or AAD joined machines
- Username / Password
- Device Code Flow for devices without a Web browser
- ADFS support
- Acquiring a token for the app
- Acquiring a token on behalf of a user in Web APIs
- Acquiring a token by authorization code in Web Apps
- High Availability
- Token cache serialization
- Logging
- Exceptions in MSAL
- Provide your own Httpclient and proxy
- Extensibility Points
- Clearing the cache
- Client Credentials Multi-Tenant guidance
- Performance perspectives
- Differences between ADAL.NET and MSAL.NET Apps
- PowerShell support
- Testing apps that use MSAL
- Experimental Features
- Proof of Possession (PoP) tokens
- Using in Azure functions
- Extract info from WWW-Authenticate headers
- SPA Authorization Code