Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BearerTokenAuthenticationPolicy should support CAE token revocation challenges by default #46129

Closed
christothes opened this issue Sep 23, 2024 · 1 comment · Fixed by #46277
Closed

BearerTokenAuthenticationPolicy should support CAE token revocation challenges by default #46129

christothes opened this issue Sep 23, 2024 · 1 comment · Fixed by #46277
Assignees
@christothes
Labels
Azure.Core Client This issue points to a problem in the data-plane of the library.
Milestone
2024-10

Comments

@christothes
Copy link
Member

christothes commented Sep 23, 2024
edited
Loading

This feature entails adding CAE support for all clients lacking a custom challenge handler i.e., everyone except Key Vault and Storage.

Adding support involves adding logic to your BearerTokenAuthenticationPolicy such that it does the following:

  • Detects when a CAE challenge is issued (401 response with a WWW-Authenticate header)
  • Parses the WWW-Authenticate header (format here)
    • validate that the error value is "insufficient_claims"
    • capture the claims value and decode it from base64 encoding to a string
  • Pass the string value of the un-encoded claims to the TokenCredential via the TokenRequestContext or equivalent for your language via the Claims property
  • Ensure that any local token caching is bypassed in the policy when the claims are populated from a CAE challenge
  • Authorize the original request with the new token and send it through the pipeline again
  • Return any response to the caller (don't try to handle a second challenge)

Example PR: Azure/azure-sdk-for-go#23414
@christothes christothes self-assigned this Sep 23, 2024
@christothes christothes changed the title BearerTokenAuthenticationPolicy should support CAE challenges by default BearerTokenAuthenticationPolicy should support CAE token revocation challenges by default Sep 23, 2024
@jsquire jsquire added the Client This issue points to a problem in the data-plane of the library. label Sep 23, 2024
@christothes christothes added this to the 2024-11 milestone Sep 23, 2024
@joshfree joshfree modified the milestones: 2024-11, 2024-10 Sep 23, 2024
@joshfree
Copy link
Member

stretch: october release cycle, pending access to test resources this week

@christothes christothes mentioned this issue Sep 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@christothes christothes

Labels
Azure.Core Client This issue points to a problem in the data-plane of the library.
Projects
None yet
Milestone
2024-10
Development

Successfully merging a pull request may close this issue.

BearerTokenAuthenticationPolicy handles CAE challenges christothes/azure-sdk-for-net
3 participants
@jsquire @christothes @joshfree