search

AzureAD / microsoft-authentication-library-for-dotnet

Microsoft Authentication Library (MSAL) for .NET
https://aka.ms/msal-net
MIT License
1.4k stars 341 forks source link

[Feature Request] SAML assertions obtained with an OAuth2.0 OBO flow #2325

Open luisfeliz79 opened 3 years ago

luisfeliz79 commented 3 years ago

Is your feature request related to a problem? Please describe. It is possible to use a on-behalf-of flow to get a SAML token via an OAUTH2 Flow. This allows middle tier apps to authenticate to apps integrated via SAML Ref doc: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#saml-assertions-obtained-with-an-oauth20-obo-flow

Describe the solution you'd like I would like for the MSAL Libraries to build it this functionality. It would be very similar to function "AcquireTokenOnBehalfOf", except that it would it include the additional parameter requested_token_type

Describe alternatives you've considered The alternative is not to use MSAL libraries and use direct rest calls instead.

Additional context Add any other context or screenshots about the feature request here.

jmprieur commented 3 years ago

Thanks for your question and heads-up, @luisfeliz79 The Azure AD v2 doesn't actually support SAML output for the on behalf of flow, so there is not much MSAL.NET can do for the moment, but this is a reasonable ask on the service.

We'll update the documentation: https://github.com/MicrosoftDocs/azure-docs-pr/pull/142477

jmprieur commented 3 years ago

Proposing to close this issue as nothing can be done yet on the library side.

ghost commented 2 years ago

Hello @jmprieur, Azure AD v2 has added support for SAML assertions for on behalf of flows. Can this issue be reopened?

bgavrilMS commented 2 years ago

Re-opened.

Flow is here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#saml-assertions-obtained-with-an-oauth20-obo-flow

CC @maliksahil

@msantor - you'll be able to try it out with the next MSAL release 4.41 (out in a day or two), where we've build some extensibility that'll allow you to add the parameter requested_token_type to the request to the /token endpoint.

Details here: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Extensibility-Points

I expect the flow to work for the simple scenarios, but MSAL will not save or know how to use the Refresh Token in this case, i.e. you'll have to provide the initial SAML assertion again and again, you won't be able to get a new one via refresh token. This should be ok for most scenarios. Tracking item: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/2817