Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Token Acquisition Extensibility support #2975

Open
bgavrilMS opened this issue Aug 12, 2024 · 2 comments
Open

[Feature Request] Token Acquisition Extensibility support #2975

bgavrilMS opened this issue Aug 12, 2024 · 2 comments
Labels
✏️design proposal

Comments

@bgavrilMS
Copy link
Member

bgavrilMS commented Aug 12, 2024
edited
Loading

What

This feature request proposes a mechanism to deliver token acquisition features that are 1p. The reason for this is twofold:

  • Do not pollute open source 3p libraries with 1p features, until these are ready for 3p
  • Increase adoption of DownstreamApi, by not exposing features directly in MSAL

How

MSAL

A strongly typed API and a strongly typed processing. For instance for the Federated User Identities, this is a new method, say:
ConfidentialClientApplication.AddAddIn<1pFeatureAddin>(), with this 1pFeatureAddin belonging to a 1P library, and that would implement methods or be a factory of classes that would implement these methods to:
• Extract the parameters from the extension method and store them in a bag
• Understand the parameters from the bag
• Append the body of the request
• Append the headers of the request
• Append the query string of the request
• Retrieve the info from the response
• Create exceptions for the particular request
• Cache the token (if there are particular things to do)
• Add to a bag in the AuthenticationResult (From which it would be queried by an extension method also part of the Add-In package)
• Change API ID

Note: design not finalized here, but an interface or callback will constitute the integration point. Incremental start - expose only what is necessary.

Id.Web

AcquireTokenOptions has a new public property ExtraParameters: IDictionary<string, object> + associated support from config.

"DownstreamApis": {
        "TodoList": {
            "Scopes": [ "api://556d438d-2f4b-4add-9713-ede4e5f5d7da/access_as_user" ],
            "BaseUrl": "http://localhost:44350",
           "AcquireTokenOptions": {
                 "ExtraParameters":{
                         "1pFeature":
                          {
                           "Param1": "a_string",
                           "Param2": // a certificate 
                            {
                             "SourceType": "KeyVault",
                             "KeyVaultUrl": "https://webappsapistests.vault.azure.net",
                             "KeyVaultCertificateName": "Self-Signed-5-5-22"
                            }
                        }
                   }
           }
        },

MISE

  1. A new TokenAcquisition addIn which is added by a ServiceCollection extension method

Services.Add1pFeature();

  1. An extension method on AcquireTokenOptions.
static void With1pFeature(this AcquireTokenOptions acquireTokenOptions, 
                                                          string param1, CredentialDescription param2)
{
 acquireTokenOptions.ExtraParameters[1pFeature”] = new 1pFeatureImpl(string_param, credentialDescription);
}
  1. The constructor of TokenAcquisition in IdWeb looks for a TokenAcquisitionAddIn, and, when building the request for AcquireTokenForClient, calls the AddIn method with the AcquireTokenOptions and the AcquireTokenForClientParameterBuilder. The AddIn checks if the tokenAcquisitionOptions.ExtraParameters constains constraints, and if it does, it uses the MSAL methods (or extension methods) to pass-in the constraints.
  2. Not needed in the case of CDT, but the Id.Web add-in could also work on the AuthenticationResult

For more details see here
@bgavrilMS bgavrilMS mentioned this issue Aug 12, 2024
Open
@bgavrilMS
Copy link
Member Author

CC @trwalke @rayluo for delivering CDT

@jmprieur
Copy link
Collaborator

for 3) (The constructor of TokenAcquisition in IdWeb looks for a TokenAcquisitionAddI) using the locator pattern (serviceProvider.GetService()

bgavrilMS added a commit to AzureAD/microsoft-identity-abstractions-for-dotnet that referenced this issue Aug 12, 2024
@bgavrilMS
Support for token acquisition 1p features - AzureAD/microsoft-identit…
737d808 
…y-web#2975
@bgavrilMS bgavrilMS mentioned this issue Aug 12, 2024
Merged
@bgavrilMS bgavrilMS mentioned this issue Aug 14, 2024
Draft
jmprieur added a commit to AzureAD/microsoft-identity-abstractions-for-dotnet that referenced this issue Sep 18, 2024
@bgavrilMS @jmprieur
Support for token acquisition 1p features - id.web issue 2975 (#135)
792dfcf 
* Support for token acquisition 1p features - AzureAD/microsoft-identity-web#2975

* Update public API files and version

* Improving test coverage

* Fix build on Linux (file casing)

---------

Co-authored-by: Jean-Marc Prieur <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
✏️design proposal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bgavrilMS @jmprieur @jennyf19