Open bgavrilMS opened 7 months ago
Confidential
When MSAL creates the client assertion, it uses PKCS1 padding for digital signature and SHA1 as x5t claim. These are old crypto algorithms and we need to move to newer versions. The STS is building support.
See ESTS work items :
https://identitydivision.visualstudio.com/Engineering/_workitems/edit/2655345 https://identitydivision.visualstudio.com/Engineering/_workitems/edit/2704466
Use x5t#s256 and PSS padding when talking to ESTS, CIAM, B2C(?) but not with ADFS.
MSAL client type
Confidential
Problem Statement
When MSAL creates the client assertion, it uses PKCS1 padding for digital signature and SHA1 as x5t claim. These are old crypto algorithms and we need to move to newer versions. The STS is building support.
See ESTS work items :
https://identitydivision.visualstudio.com/Engineering/_workitems/edit/2655345 https://identitydivision.visualstudio.com/Engineering/_workitems/edit/2704466
Proposed solution
Use x5t#s256 and PSS padding when talking to ESTS, CIAM, B2C(?) but not with ADFS.
Original issue: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4428