search

AzureAD / microsoft-authentication-library-for-dotnet

Microsoft Authentication Library (MSAL) for .NET
https://aka.ms/msal-net
MIT License
1.39k stars 340 forks source link

[Feature Request] Enable extensions in the authentication MSAL flow #4956

Open trwalke opened 2 weeks ago

trwalke commented 2 weeks ago

MSAL client type

Confidential

Problem statement

Certain application would like to extend MSAL's authentication flow to suit their needs.

Proposed solution

Enable the extension of MSAL authentication operations with the implementation of IAuthenticaitonOperation

    public interface IAuthenticationOperation
    {

        int TelemetryTokenType { get; }

        /// <summary>
        /// Prefix for the HTTP header that has the token. E.g. "Bearer" or "POP"
        /// </summary>
        string AuthorizationHeaderPrefix { get; }

        /// <summary>
        /// Extra parameters that are added to the request to the /token endpoint. 
        /// </summary>
        /// <returns>Name and values of params</returns>
        IReadOnlyDictionary<string, string> GetTokenRequestParams();

        /// <summary>
        /// Key ID of the public / private key pair used by the encryption algorithm, if any. 
        /// Tokens obtained by authentication schemes that use this are bound to the KeyId, i.e. 
        /// if a different kid is presented, the access token cannot be used.
        /// </summary>
        string KeyId { get; }

        /// <summary>
        /// Creates the access token that goes into an Authorization HTTP header. 
        /// </summary>
        void FormatResult(AuthenticationResult authenticationResult);

        /// <summary>
        /// Expected to match the token_type parameter returned by ESTS. Used to disambiguate
        /// between ATs of different types (e.g. Bearer and PoP) when loading from cache etc.
        /// </summary>
        string AccessTokenType { get; }
    }

The implementation will be injected into MSAL with the following API:

                MsalAuthenticationExtension cdtExtension = new MsalAuthenticationExtension()
                {
                    OnBeforeTokenRequestHandler = async (data) =>
                    {
                      ...
                    },

                    AuthenticationOperation = new MsalTestAuthenticationOperation(),
                    AdditionalCacheParameters = new[] { "additional_param1", "additional_param2" }
                };

                // Act
                var result = await app.AcquireTokenForClient(TestConstants.s_scope.ToArray())
                    .WithTenantId(TestConstants.Utid)
                    .WithAuthenticationExtension(cdtExtension)
                    .ExecuteAsync()
                    .ConfigureAwait(false);

Alternatives

No response

rayluo commented 2 weeks ago

Do we have or need a documentation for how to use this extension interface?

For example, in the CDT scenario, the following behaviors would be needed from a client-side SDK, how and where are they addressed by this extension interface?

  1. Tell the token cache to store a req_ds_cnf (or a hash of it) from the token REQUEST, and later use the same value for a cache look-up. Is this achieved by OnBeforeTokenRequestHandler, IAuthenticationOperation.KeyId or GetTokenRequestParams()?
  2. Tell the token cache to store an xms_ds_nonce from the token RESPONSE, and later retrieve it when building a CDT Is this achieved by AdditionalCacheParameters?
  3. Mint a CDT. This is done by IIAuthenticationOperation.FormatResult().
gladjohn commented 2 weeks ago

@trwalke Ok to close this?

trwalke commented 2 weeks ago

I think so, but it isnt going to be used by anyone at the moment except MISE and it is still in preview. @bgavrilMS does it make sense to add public or internal docs for this?