weinong
commented
1 year ago i actually not quite follow how this change ensures that the user who requested the access token is the same user who created the PoP token
Closed AzureMarker closed 1 year ago
weinong
commented
1 year ago i actually not quite follow how this change ensures that the user who requested the access token is the same user who created the PoP token
AzureMarker
commented
1 year ago i actually not quite follow how this change ensures that the user who requested the access token is the same user who created the PoP token
The user who created the inner access token gave the PoP token public key to AAD, and the returned access token contains the public key info in the cnf claim.
The PoP token wraps the access token, includes the same public key, and is signed by the PoP token private key. The PoP token signature can be verified using the included public key, and the public key in the PoP token claims can be checked against the inner access token's cnf claim.
weinong
commented
1 year ago @@tamalsaha I plan to cut a release. Is there any instruction?
tamalsaha
commented
1 year ago I just checkout a release-** branch, tag it and push to GitHub for the release process.
You should be able to do the same.
This check ensures that the user who requested the access token is the same user who created the PoP token.
Also added a few missed error cases and tests to the PoP token verifier.