Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BearerTokenAuthenticationPolicy should support CAE token revocation challenges by default #31185

Open
christothes opened this issue Sep 23, 2024 · 3 comments
Open

BearerTokenAuthenticationPolicy should support CAE token revocation challenges by default #31185

christothes opened this issue Sep 23, 2024 · 3 comments
Assignees
@minhanh-phan
Labels
Azure.Core
Milestone
2024-11

Comments

@christothes
Copy link
Member

christothes commented Sep 23, 2024
edited
Loading

This feature entails adding CAE support for all clients lacking a custom challenge handler i.e., everyone except Key Vault and Storage.

Adding support involves adding logic to your BearerTokenAuthenticationPolicy such that it does the following:

  • Detects when a CAE challenge is issued (401 response with a WWW-Authenticate header)
  • Parses the WWW-Authenticate header (format here)
    • validate that the error value is "insufficient_claims"
    • capture the claims value and decode it from base64 encoding to a string
  • Pass the string value of the un-encoded claims to the TokenCredential via the TokenRequestContext or equivalent for your language via the Claims property
  • Ensure that any local token caching is bypassed in the policy when the claims are populated from a CAE challenge
  • Authorize the original request with the new token and send it through the pipeline again
  • Return any response to the caller (don't try to handle a second challenge)

Example PRs:
Azure/azure-sdk-for-go#23414
Azure/azure-sdk-for-net#46277
@christothes christothes added this to the 2024-11 milestone Sep 23, 2024
@joshfree joshfree modified the milestones: 2024-11, 2024-10 Sep 23, 2024
@joshfree
Copy link
Member

stretch: october release cycle, pending access to test resources this week

@jeremymeng
Copy link
Member

We have this related code in JS:

azure-sdk-for-js/sdk/core/core-client/src/authorizeRequestOnClaimChallenge.ts

Line 60 in 51696d6

export async function authorizeRequestOnClaimChallenge(

@joshfree
Copy link
Member

Adding to the Identity github project as well since we want to discuss in office hours and ship in November release cycle

@joshfree joshfree modified the milestones: 2024-10, 2024-11 Oct 16, 2024
@joshfree joshfree assigned minhanh-phan and unassigned maorleger Oct 16, 2024
@minhanh-phan minhanh-phan mentioned this issue Oct 30, 2024
Merged
minhanh-phan added a commit that referenced this issue Nov 6, 2024
@minhanh-phan
[Core] Add CAE Support (#31501)
4963775 
#31185

This PR adds `enableCAE: true` by default. The updated logic for
`BearerAuthenticationPolicy` is as follows:
- Check if initial response returns a challenge
- If CAE challenge, handle it and return whatever response received next
- If not CAE challenge and a custom challenge handler is provided
through `authorizeRequestOnChallenge`, use custom handler to handle the
challenge. If there is another CAE challenge after, handle it and return
whatever response next. At max, the policy will resolve 2 challenges (1
non-CAE and 1 CAE challenge)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@minhanh-phan minhanh-phan

Labels
Azure.Core
Projects
Azure Identity SDK Improvements
Status: In Progress
Milestone
2024-11
Development

No branches or pull requests
6 participants
@maorleger @christothes @joshfree @jeremymeng @KarishmaGhiya @minhanh-phan