Support PoP token binding via Signed HTTP Request (SHR) for public client apps

[scottaddie]

Intro: Proof of Possession is intended to ensure that the client that requests a token is the only client that can use the token. This is accomplished by the client generating a key pair and requesting that the public key be included in the issued access token. The client library then generates a wrapper token signing it with the private key that is only known to it.

Proposal:

1. Ensure all Azure Identity SDKs are able to call into WAM (this will give RT binding on Windows, for public client). This feature is available in .NET as a preview.
2. Add API support for using access token binding. This requires the app developer to inform the SDK about the protected API they're about to call (i.e. what is the target URL), and to extract a nonce from 401 and 200 headers.

[chlowell]

This is blocked on https://github.com/AzureAD/microsoft-authentication-library-for-go/issues/284 because it requires calling into WAM (related: #17388).

[wenhug]

Is there any progress on this feature and is it being considered for support?

[chlowell]

We still want to support this, however we rely on MSAL for Go for public client authentication and it doesn't support this yet:

• https://github.com/AzureAD/microsoft-authentication-library-for-go/issues/242
• https://github.com/AzureAD/microsoft-authentication-library-for-go/issues/243

[wenhug]

MSAL for Go seems to already support pop https://github.com/AzureAD/microsoft-authentication-library-for-go/pull/443

[chlowell]

That PR added a confidential client feature. This issue tracks SHR PoP for public clients, which requires brokered authentication (WAM on Windows). MSAL for Go doesn't support brokered authentication, so this issue is still blocked.