search

AzureAD / microsoft-authentication-library-for-js

Microsoft Authentication Library (MSAL) for JS
http://aka.ms/aadv2
MIT License
3.55k stars 2.62k forks source link

[Feature Request] AAD client assertions should be computed using SHA 256 and an approved padding scheme #6773

Open bgavrilMS opened 7 months ago

bgavrilMS commented 7 months ago

MSAL client type

Confidential

Problem Statement

When MSAL creates the client assertion, it uses PKCS1 padding for digital signature and SHA1 as x5t claim. These are old crypto algorithms and we need to move to newer versions. The STS is building support.

See ESTS work items :

https://identitydivision.visualstudio.com/Engineering/_workitems/edit/2655345 https://identitydivision.visualstudio.com/Engineering/_workitems/edit/2704466

Proposed solution

Use x5t#s256 and PSS padding when talking to ESTS, CIAM, B2C(?) but not with ADFS.

Original issue

https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4428

github-actions[bot] commented 7 months ago

Invalid Issue Template: Please open a new issue and use one of the provided issue templates. Thanks!

bgavrilMS commented 1 month ago

Not sure if MSAL JS supports ADFS. If it doesn't (e.g. not tests for it), just implement this change everywhere.

bgavrilMS commented 1 month ago

Should be done together with the integration tests around certificates.