Add support for cert-based authentication using EC certs (ES 256, ES384)

[erich-wang]

**The issue is copied from https://github.com/Azure/azure-sdk-for-net/issues/6521

Currently AAD only supports certificate authentication using RSA certs (eg RSA 2048). There is no support for authenticating with EC certs (eg ECDSA P-256 and P-384). This is documented here:

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials

Which effectively states that "only JWT alg RS256 is supported". This is confirmed by the ClientAssertionCertificate code here: https://github.com/Azure/azure-sdk-for-net/blob/master/src/SdkCommon/Auth/Az.Auth/Az.Authentication/ClientAssertionCertificate.cs#L46

(Right now if you try using an EC cert with ClientAssertionCertificate, it fails with a NullReferenceException).

Elliptic curve based certs provide stronger security with less overhead - this generally improves code efficiency, and is particularly important for mobile devices. IMO AAD should support authentication using "better" certs - eg the ES384 alg in the JWT standard: https://tools.ietf.org/html/rfc7518#page-6

Companies that are using next-gen approaches for security (authenticate with certs, use ECC certs) shouldn't have to generate separate RSA certs purely to authenticate with AAD.

Obviously this would need to be added in the client and the server. The azure-sdk-for-net repo only covers the client, could someone at Microsoft please add the request for server support for ES256 and ES384 JWT signatures?

[erich-wang]

@darshanhs90 @stankovski, could you take a look this feature request from customer?

[darshanhs90]

@grlin to help with this

[erich-wang]

@grlin, is there any update?

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @adamedx.

[adamedx]

Thanks for the cc, though I'm not sure how I can help. @erich-wang , is this a request for the STS to support updates to JWT? I'm not an STS SME, but maybe I can help find someone who is.