Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BearerTokenAuthenticationPolicy should support CAE token revocation challenges by default #41984

Open
christothes opened this issue Sep 23, 2024 · 2 comments
Open

BearerTokenAuthenticationPolicy should support CAE token revocation challenges by default #41984

christothes opened this issue Sep 23, 2024 · 2 comments
Assignees
@billwert
Labels
Azure.Core azure-core
Milestone
2024-11

Comments

@christothes
Copy link
Member

christothes commented Sep 23, 2024
edited
Loading

This feature entails adding CAE support for all clients lacking a custom challenge handler i.e., everyone except Key Vault and Storage.

Adding support involves adding logic to your BearerTokenAuthenticationPolicy such that it does the following:

  • Detects when a CAE challenge is issued (401 response with a WWW-Authenticate header)
  • Parses the WWW-Authenticate header (format here)
    • validate that the error value is "insufficient_claims"
    • capture the claims value and decode it from base64 encoding to a string
  • Pass the string value of the un-encoded claims to the TokenCredential via the TokenRequestContext or equivalent for your language via the Claims property
  • Ensure that any local token caching is bypassed in the policy when the claims are populated from a CAE challenge
  • Authorize the original request with the new token and send it through the pipeline again
  • Return any response to the caller (don't try to handle a second challenge)

Example PRs:
Azure/azure-sdk-for-go#23414
Azure/azure-sdk-for-net#46277
@christothes christothes added the Azure.Core azure-core label Sep 23, 2024
@christothes christothes added this to the 2024-11 milestone Sep 23, 2024
@joshfree joshfree modified the milestones: 2024-11, 2024-10 Sep 23, 2024
@joshfree
Copy link
Member

stretch: october release cycle, pending access to test resources this week

@weidongxu-microsoft
Copy link
Member

weidongxu-microsoft commented Sep 25, 2024
edited
Loading

there is a version of impl in azure-core-management (be cautious that this may not be the exact version you want in azure-core)
https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/core/azure-core-management/src/main/java/com/azure/core/management/http/policy/ArmChallengeAuthenticationPolicy.java

@billwert billwert modified the milestones: 2024-10, 2024-11 Oct 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@billwert billwert

Labels
Azure.Core azure-core
Projects
Azure Identity SDK Improvements
Status: Not Started
Java SDKs Azure Core
Status: No status
Milestone
2024-11
Development

No branches or pull requests
4 participants
@christothes @joshfree @billwert @weidongxu-microsoft