Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BearerTokenPolicy handles CAE claims challenges by default #23414

Merged
merged 21 commits into from
Oct 10, 2024
Merged

BearerTokenPolicy handles CAE claims challenges by default #23414

merged 21 commits into from
Oct 10, 2024

Conversation

chlowell
Copy link
Member

@chlowell chlowell commented Sep 9, 2024

This adds CAE support for all clients lacking a custom challenge handler i.e., everyone except Key Vault and Storage. The policy will request CAE tokens by default, however whether it receives them and claims challenges is up to RP and tenant configuration. With this change, CAE will just work by default when enabled by RP and tenant. To avoid opting clients like Key Vault and Storage in to receiving challenges they can't handle, I added a SupportsCAE option to AuthorizationHandler to control whether the policy requests CAE tokens when given a custom challenge handler.

@chlowell chlowell marked this pull request as ready for review September 9, 2024 16:37
jhendrixMSFT
jhendrixMSFT approved these changes Sep 9, 2024
View reviewed changes
Copy link
Member

@jhendrixMSFT jhendrixMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was there a specific trigger prompting this to be moved to the common bearer token policy, or was it just a matter of "it's baked enough"?

@chlowell
Copy link
Member Author

chlowell commented Sep 9, 2024

It's baked enough, there's a common implementation for RPs we can target. I see they now document how to handle multiple challenges, so let me update our logic to follow that guidance.

@chlowell chlowell marked this pull request as draft September 9, 2024 17:36
@chlowell chlowell marked this pull request as ready for review September 16, 2024 17:20
This was referenced Sep 23, 2024
Closed
Open
Open
Closed
Open
Open
Closed
@chlowell chlowell linked an issue Sep 23, 2024 that may be closed by this pull request
BearerTokenAuthenticationPolicy should support CAE token revocation challenges by default #23481
Closed
@joshfree joshfree added this to the 2024-10 milestone Sep 23, 2024
@chlowell
Copy link
Member Author

Moving this back to draft because I believe the core policy can handle CAE challenges even when the client has provided a custom challenge handler, at the cost of some more complexity. That could enable CAE support for e.g. Key Vault without any change to client code.

@chlowell chlowell marked this pull request as draft September 25, 2024 18:34
@chlowell chlowell marked this pull request as ready for review October 1, 2024 22:03
@chlowell chlowell merged commit 1c2a108 into Azure:main Oct 10, 2024
14 checks passed
@chlowell chlowell deleted the core-cae branch October 10, 2024 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christothes christothes christothes left review comments

@gracewilcox gracewilcox gracewilcox approved these changes

@jhendrixMSFT jhendrixMSFT jhendrixMSFT approved these changes

@RickWinter RickWinter Awaiting requested review from RickWinter RickWinter is a code owner

@richardpark-msft richardpark-msft Awaiting requested review from richardpark-msft richardpark-msft is a code owner

Assignees
No one assigned
Labels
Azure.Core
Projects
None yet
Milestone
2024-10
Development

Successfully merging this pull request may close these issues.

BearerTokenAuthenticationPolicy should support CAE token revocation challenges by default
5 participants
@chlowell @christothes @jhendrixMSFT @gracewilcox @joshfree