Closed MarcoEnxuto closed 2 years ago
CameronGoodwin
commented
2 years ago Hi Marco, I'm on end-of-year vacation at the moment but let me get back to you on this hopefully later today. Thanks for pinging @ me so that I saw this more directly and it didn't get lost in my notifications.
CameronGoodwin
commented
2 years ago Ok I reviewed the above and I'll do the best that I can to provide some information, but I wish I had better news. So, the specific Microsoft Store tokens are owned by a team other than the MSA team. They are specific to the Commerce / Microsoft Store Services form what I have been able to understand when working with them. That just happens to be v1.0 and was not updated to v2.0.
Although you are able to setup your app registration for v2.0 tokens, the commerce related tokens you would then ask for are limited to what that service accepts and generates. From the above info and what I have seen as well, those are v1.0 tokens. So, although other MSA services are able to generate the right v2.0 tokens with Certificates, the Microsoft Store Services only support v1.0 and therefore when getting those you would need to use a secret key rather than a certificate.
So from here I don't see a way you can generate the needed tokens for b2b auth with the Microsoft Store Services using certificates. That would require the team that owns the token generating API's within the purchase and collections endpoints to upgrade and implement the v2.0 token model. Since the token services for this have not been touched in many years and it is difficult for even me to find the current owner, I doubt that would be something that would happen at this point given other priorities and initiatives the commerce team has on their backlog.
MarcoEnxuto
commented
2 years ago Alright @CameronGoodwin thanks a lot for your time, even on vacation by providing this gold information. Bottom line, we can't get tokens for Microsoft Store Services by using certificates as of now. A limitation of the Microsoft Store Services API.
I'm closing this question because as you said, it's not expected that support anytime soon.
Wish you a merry christmas to you and your family.
Hi @CameronGoodwin, Introduction In the last 2 days I've been revising some todos that aren't done yet, and tried to ping @hickeys to get any conclusion regarding this issue. I do understand posting in Microsoft Docs is not the right spot to raise issues because this is a thing related to services and not the docs. Either way, in my opinion, some documentation look a quite draft here. So, to sort things out, I'm coming to you in hope you can help me understand/point me to the right direction.
Explanation I'm trying to use Certificates instead of Secrets to request access tokens so the client can use them on getting the Store Id Key. I'm getting 2 different tokens for collections and purchase endpoints but both are returned in a v1.0 format. I specifically set the manifest of my entity in App Registrations with the value: "accessTokenAcceptedVersion": 2
I came with this conclusion after raising this issue and this issue. Both are closed because this looks like to a service issue, and we may need warn several teams.
The endpoint https://collections.mp.microsoft.com/v7.0/beneficiaries/me/keys, which is used by the Windows SDK, requests the Store Id Key but returns an error when the request is made with token that was issued with a certificate. That token contains the value appidacr=2, i checked myself before publishing here. Also, appidacr is claim from v1.0. This endpoint requires the use of appidacr=1. This claim is a requirement for v1.0 tokens.
Access Token returned by AAD
Endpoint used by the Windows SDK to get the Store Id Key
My insights
I took a look on your code, and this code snippet shows you are following the doc.
var requestUri = $"https://login.microsoftonline.com/{_tenantId}/oauth2/v2.0/token"; var httpRequest = new HttpRequestMessage(HttpMethod.Post, requestUri.ToString()); var requestBody = $"grant_type=client_credentials&client_id={_clientId}" + $"&client_secret={encodedSecret}" + $"&scope={audience}/.default";Sorry for the long post, and links... but can you help me out/comment/alert the teams if this is an issue?