Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] JWK thumprint computation is against RFC 7638 #4685

Closed
JasonYang-MSFT opened this issue Mar 28, 2024 · 3 comments
Closed

[Bug] JWK thumprint computation is against RFC 7638 #4685

JasonYang-MSFT opened this issue Mar 28, 2024 · 3 comments
Labels
answered question

Comments

@JasonYang-MSFT
Copy link

Library version used

4.57.0

.NET version

.NET 6.0

Scenario

ConfidentialClient - service to service (AcquireTokenForClient)

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

The RFC 7638 has defined the JWK thumbprint. When computing the JWK thumbprint, it should use the required members of JWK.
https://datatracker.ietf.org/doc/html/rfc7638#section-3

But in PoPAuthenticationScheme.cs, it used all members of JWK for thumbprint generation.

microsoft-authentication-library-for-dotnet/src/client/Microsoft.Identity.Client/AuthScheme/PoP/PoPAuthenticationScheme.cs

Line 47 in 80faef7

var keyThumbprint = ComputeThumbprint(_popCryptoProvider.CannonicalPublicKeyJwk);

Relevant code snippets

No response

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response
@JasonYang-MSFT JasonYang-MSFT added needs attention Delete label after triage untriaged Do not delete. Needed for Automation labels Mar 28, 2024
@neha-bhargava
Copy link
Contributor

@JasonYang-MSFT In MSAL we do follow the RFC 7638 standard. See https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/main/src/client/Microsoft.Identity.Client/AuthScheme/PoP/PoPAuthenticationScheme.cs#L143.
Are you facing some issue with this?

@neha-bhargava neha-bhargava added question requires more info and removed untriaged Do not delete. Needed for Automation needs attention Delete label after triage labels Mar 28, 2024
@JasonYang-MSFT
Copy link
Author

Hi @neha-bhargava , RFC 7638 defines that "Only the required members of a key's representation are used when
computing its JWK Thumbprint value.". But in PoPAuehnticationScheme.cs, it used all jwk claims for JWK thumbprint computing.

Actually, I am trying to create a PoPCryptoProvider with "x5c" in the JWK. Is that doable with MSAL?

@bgavrilMS
Copy link
Member

Yes, it is possible, but not very discoverable. You can create your own SingedHttpRequest (SHR) - here's an example:

https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/main/tests/Microsoft.Identity.Test.Integration.netfx/HeadlessTests/PoPTests.cs#L300

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bgavrilMS @JasonYang-MSFT @localden @neha-bhargava