search

AzureAD / MSAL.PS

MIT License
159 stars 29 forks source link

MSAL.PS 4.14.0.1 and X5C #8

Closed abatishchev closed 3 years ago

abatishchev commented 4 years ago

I looked at the source code of MSAL.PS version 4.14.0.1 and searched for "x5c". I see all occurrences have been commented:

#
# [Parameter(Mandatory=$true, ParameterSetName='ConfidentialClientCertificate')]
# [Parameter(Mandatory=$true, ParameterSetName='ConfidentialClientCertificate-AuthorizationCode')]
# [Parameter(Mandatory=$true, ParameterSetName='ConfidentialClientCertificate-OnBehalfOf')]
# [switch] $SendX5C,

#if ($SendX5C) { [void] $AquireTokenParameters.WithSendX5C($SendX5C) }

Why? Is there a (pre-release) version where it's not/

abatishchev commented 4 years ago

Here's the commit where it was added as commented from the start.

@jasoth, can you please commented why?

jazuntee commented 4 years ago

I was going to implement it but have not had time to figure out how to implement properly and test.

Jason Thompson Sr. Program Managerhttps://aka.ms/jasoth/LinkedIn | Microsoft Identity CxP GTPhttps://azure.microsoft.com/en-us/case-studies/?service=active-directory | +1 (513) 826-9258<tel:+15138269258> Microsoft Teams (Chat)sip:jasoth@microsoft.com | Book meetinghttps://aka.ms/jasoth/bookmeeting | Calendar availability (EST/EDT)https://aka.ms/jasoth/calendar

From: Alexander Batishchev notifications@github.com Sent: Thursday, June 11, 2020 3:36 PM To: jasoth/MSAL.PS MSAL.PS@noreply.github.com Cc: Jason Thompson (ID CXP) Jason.Thompson@microsoft.com; Mention mention@noreply.github.com Subject: Re: [jasoth/MSAL.PS] MSAL.PS 4.14.0.1 and X5C (#8)

Here's the commithttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fjasoth%2FMSAL.PS%2Fcommit%2Fd4297bcf3d93c65d5a3c34e083f7acb1abdd1cf3&data=02%7C01%7CJason.Thompson%40microsoft.com%7C42882866499d43b5533d08d80e3eb6ae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637275009806717044&sdata=EZ5wFkQyFUCs2rR40JafMhwRoPMzaIrKGgo2a1ncmx8%3D&reserved=0 where it was added as commented from the start.

@jasothhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fjasoth&data=02%7C01%7CJason.Thompson%40microsoft.com%7C42882866499d43b5533d08d80e3eb6ae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637275009806722029&sdata=AUtqNPEfsugsQcQP6%2BTF1n%2BJAUtOlw8MjKHQsIT8Ozs%3D&reserved=0, can you please commented why?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fjasoth%2FMSAL.PS%2Fissues%2F8%23issuecomment-642887673&data=02%7C01%7CJason.Thompson%40microsoft.com%7C42882866499d43b5533d08d80e3eb6ae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637275009806727020&sdata=IZ%2F4Nfkld4iarkk1nDuovXbajZKBsfIHc5VRnOULl4Q%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAEDJ2NPDZTXS5CSZ63PB2DDRWEW3FANCNFSM4N3WKPHQ&data=02%7C01%7CJason.Thompson%40microsoft.com%7C42882866499d43b5533d08d80e3eb6ae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637275009806732006&sdata=b1KBJ24pTI%2B9LQ9Z2tSkxFLQnBVJpgJozHoOKIWmJ6U%3D&reserved=0.

abatishchev commented 4 years ago

Would be great to have this feature as right now the latest version doesn't work with 1PA.

Do you know if there any alternative to get it working from PowerShell?

jazuntee commented 4 years ago

I would suggest using New-MsalClientApplication and then use the WithSendX5C methodhttps://docs.microsoft.com/en-us/dotnet/api/microsoft.identity.client.acquiretokenforclientparameterbuilder.withsendx5c?view=azure-dotnet on the application object from PowerShell to do X5C.

Jason Thompson Sr. Program Managerhttps://aka.ms/jasoth/LinkedIn | Microsoft Identity CxP GTPhttps://azure.microsoft.com/en-us/case-studies/?service=active-directory | +1 (513) 826-9258<tel:+15138269258> Microsoft Teams (Chat)sip:jasoth@microsoft.com | Book meetinghttps://aka.ms/jasoth/bookmeeting | Calendar availability (EST/EDT)https://aka.ms/jasoth/calendar

From: Alexander Batishchev notifications@github.com Sent: Thursday, June 11, 2020 6:25 PM To: jasoth/MSAL.PS MSAL.PS@noreply.github.com Cc: Jason Thompson (ID CXP) Jason.Thompson@microsoft.com; Mention mention@noreply.github.com Subject: Re: [jasoth/MSAL.PS] MSAL.PS 4.14.0.1 and X5C (#8)

Would be great to have this feature as right now the latest version doesn't work with 1PA.

Do you know if there any alternative to get it working from PowerShell?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fjasoth%2FMSAL.PS%2Fissues%2F8%23issuecomment-642961529&data=02%7C01%7CJason.Thompson%40microsoft.com%7C2b85c226ddbe41d6aaa708d80e564625%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637275111002014169&sdata=L64Zafgzt86YsDVMOvE4DopokrxL9IwL%2BPs7lsZCfzk%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAEDJ2NIOIS5RKAK5W4YV27LRWFKTTANCNFSM4N3WKPHQ&data=02%7C01%7CJason.Thompson%40microsoft.com%7C2b85c226ddbe41d6aaa708d80e564625%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637275111002019162&sdata=ZOl5%2BvxNowqkCORzWiuZMokVCdp5bPPoiJ%2FHCTmoFb4%3D&reserved=0.

abatishchev commented 4 years ago

Here's what appears to work for me:

if ($SendX5C)
{
    $app = New-MsalClientApplication -ClientId $clientId -TenantId $tenantId -Authority $authority -ClientCertificate $cert
    $scopes = [string[]] @( $Scope )
    $response = $app.AcquireTokenForClient($scopes).WithSendX5C($true).ExecuteAsync().GetAwaiter().GetResult()
}
else
{
    $response = Get-MsalToken -ClientId $clientId -TenantId $tenantId -Authority $authority -Scopes $Scope -ClientCertificate $cert
}

Still would be great if it could be just a switch on Get-MsalToken. Thanks!

jazuntee commented 4 years ago

I added the SendX5C parameter in the latest update.

abatishchev commented 3 years ago

@jasoth I'm having a problem with parameters set too. From the list for version 4.16.0.2 I see that I can include SendX5C only in one of them:

Get-MsalToken [-SendX5C] [-AuthorizationCode <String>] [-UserAssertion <String>] [-UserAssertionType <String>] [-AzureCloudInstance
    {None | AzurePublic | AzureChina | AzureGermany | AzureUsGovernment}] [-TenantId <String>] [-Authority <Uri>]
    [-ConfidentialClientApplication] <IConfidentialClientApplication> [-Scopes <String[]>] [-CorrelationId <Guid>] [-ExtraQueryParameters
    <Hashtable>] [-ForceRefresh] [<CommonParameters>]

But I want to call it in the following way:

Get-MsalToken -ClientId $c `
              -TenantId $t `
              -Authority https://login.windows-ppe.net/$t/v2.0 `
              -Scopes https://management.core.windows.net/.default `
              -ClientCertificate $cert `
              -SendX5C

Can you please add SendX5C to more/rest of parameter sets?

jazuntee commented 3 years ago

There are two other usages as well. I assigned it to all parameter sets that involve a ClientCertificate. However, the combination of parameters you have there is not resolving correctly for some reason. I'll take a look at some point.

    Get-MsalToken [-ClientId] <String> -ClientCertificate <X509Certificate2> [-SendX5C] -UserAssertion <String>
    [-UserAssertionType <String>] [-RedirectUri <Uri>] [-AzureCloudInstance {None | AzurePublic | AzureChina |
    AzureGermany | AzureUsGovernment}] [-TenantId <String>] [-Authority <Uri>] [-Scopes <String[]>] [-CorrelationId
    <Guid>] [-ExtraQueryParameters <Hashtable>] [<CommonParameters>]

    Get-MsalToken [-ClientId] <String> -ClientCertificate <X509Certificate2> [-SendX5C] -AuthorizationCode <String>
    [-RedirectUri <Uri>] [-AzureCloudInstance {None | AzurePublic | AzureChina | AzureGermany | AzureUsGovernment}]
    [-TenantId <String>] [-Authority <Uri>] [-Scopes <String[]>] [-CorrelationId <Guid>] [-ExtraQueryParameters
    <Hashtable>] [<CommonParameters>]

    Get-MsalToken [-SendX5C] [-AuthorizationCode <String>] [-UserAssertion <String>] [-UserAssertionType <String>]
    [-AzureCloudInstance {None | AzurePublic | AzureChina | AzureGermany | AzureUsGovernment}] [-TenantId <String>]
    [-Authority <Uri>] [-ConfidentialClientApplication] <IConfidentialClientApplication> [-Scopes <String[]>]
    [-CorrelationId <Guid>] [-ExtraQueryParameters <Hashtable>] [-ForceRefresh] [<CommonParameters>]
abatishchev commented 3 years ago

hi, I updated to 4.16.0.4 but still getting an error:

Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used | together or an insufficient number of parameters were provided.

How I ran the script:

Get-MsalToken -ClientId $clientId -TenantId $tenantId -Authority $authority -Scopes $Scope -ClientCertificate $cert -XendX5C

jazuntee commented 3 years ago

This should be fixed now.