search

AzureAD / microsoft-identity-web

Helps creating protected web apps and web APIs with Microsoft identity platform and Azure AD B2C
MIT License
671 stars 208 forks source link

[Feature Request] Token Acquisition Extensibility support #2975

Open bgavrilMS opened 1 month ago

bgavrilMS commented 1 month ago

What

This feature request proposes a mechanism to deliver token acquisition features that are 1p. The reason for this is twofold:

How

MSAL

A strongly typed API and a strongly typed processing. For instance for the Federated User Identities, this is a new method, say: ConfidentialClientApplication.AddAddIn<1pFeatureAddin>(), with this 1pFeatureAddin belonging to a 1P library, and that would implement methods or be a factory of classes that would implement these methods to: • Extract the parameters from the extension method and store them in a bag • Understand the parameters from the bag • Append the body of the request • Append the headers of the request • Append the query string of the request • Retrieve the info from the response • Create exceptions for the particular request • Cache the token (if there are particular things to do) • Add to a bag in the AuthenticationResult (From which it would be queried by an extension method also part of the Add-In package) • Change API ID

Note: design not finalized here, but an interface or callback will constitute the integration point. Incremental start - expose only what is necessary.

Id.Web

AcquireTokenOptions has a new public property ExtraParameters: IDictionary<string, object> + associated support from config.

"DownstreamApis": {
        "TodoList": {
            "Scopes": [ "api://556d438d-2f4b-4add-9713-ede4e5f5d7da/access_as_user" ],
            "BaseUrl": "http://localhost:44350",
           "AcquireTokenOptions": {
                 "ExtraParameters":{
                         "1pFeature":
                          {
                           "Param1": "a_string",
                           "Param2": // a certificate 
                            {
                             "SourceType": "KeyVault",
                             "KeyVaultUrl": "https://webappsapistests.vault.azure.net",
                             "KeyVaultCertificateName": "Self-Signed-5-5-22"
                            }
                        }
                   }
           }
        },

MISE

  1. A new TokenAcquisition addIn which is added by a ServiceCollection extension method

Services.Add1pFeature();

  1. An extension method on AcquireTokenOptions.
static void With1pFeature(this AcquireTokenOptions acquireTokenOptions, 
                                                          string param1, CredentialDescription param2)
{
 acquireTokenOptions.ExtraParameters[“1pFeature”] = new 1pFeatureImpl(string_param, credentialDescription);
}
  1. The constructor of TokenAcquisition in IdWeb looks for a TokenAcquisitionAddIn, and, when building the request for AcquireTokenForClient, calls the AddIn method with the AcquireTokenOptions and the AcquireTokenForClientParameterBuilder. The AddIn checks if the tokenAcquisitionOptions.ExtraParameters constains constraints, and if it does, it uses the MSAL methods (or extension methods) to pass-in the constraints.
  2. Not needed in the case of CDT, but the Id.Web add-in could also work on the AuthenticationResult

For more details see here

bgavrilMS commented 1 month ago

CC @trwalke @rayluo for delivering CDT

jmprieur commented 1 month ago

for 3) (The constructor of TokenAcquisition in IdWeb looks for a TokenAcquisitionAddI) using the locator pattern (serviceProvider.GetService()