Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] (RP only) Provide an option to associate tokens with the certificate serial number #5150

Closed
bgavrilMS opened this issue Feb 19, 2025 · 0 comments · Fixed by #5151
Closed

[Feature Request] (RP only) Provide an option to associate tokens with the certificate serial number #5150

bgavrilMS opened this issue Feb 19, 2025 · 0 comments · Fixed by #5151
Assignees
@trwalke
Labels
confidential-client Feature Request ICM This issue has a corresponding ICM, either for our team or another.

Comments

@bgavrilMS
Copy link
Member

bgavrilMS commented Feb 19, 2025
edited
Loading

MSAL client type

Confidential

Problem statement

Resource Providers need to associate tokens with the certificate. There are multiple certificates on each host, depending on attributes like the arm resource id etc., and for each combination of attributes there will be a different certificate being made available to them.

Today, Resource Provider need to partition the cache on their own, but this is error prone and it's not future proof, as they need to update their code every time a new attribute is defined.

Proposed solution

Add an overload of WithCertificate:

WithCertificate (X509Certificate2 certificate, bool sendX5C, bool associateTokensWithCertificateSerialNumber)

Internally, this uses the (internal) cache extensibility logic in MSAL to add an extra cache key component like ["certsn" : certificate.SerialNumber]

Note: this method should be placed in a new namespace called Microsoft.Identity.Client.RP

Note

Note: this is not a feature for MISE, as RPs should continue to use MSAL to get tokens. There is no scenario where they need to get auth headers or to call downstream APIs.
@bgavrilMS bgavrilMS added needs attention Delete label after triage untriaged Do not delete. Needed for Automation Feature Request ICM This issue has a corresponding ICM, either for our team or another. confidential-client and removed untriaged Do not delete. Needed for Automation needs attention Delete label after triage labels Feb 19, 2025
@bgavrilMS bgavrilMS changed the title [Feature Request] (RP only) Provide an option to associate tokens with the SN/I certificate serial number [Feature Request] (RP only) Provide an option to associate tokens with the certificate serial number Feb 19, 2025
@trwalke trwalke mentioned this issue Feb 20, 2025
Merged
1 task
@bgavrilMS bgavrilMS linked a pull request Feb 25, 2025 that will close this issue
Adding withCertificate overload to use cert serial number #5151
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@trwalke trwalke

Labels
confidential-client Feature Request ICM This issue has a corresponding ICM, either for our team or another.
Projects
None yet
Milestone
No milestone
2 participants
@bgavrilMS @trwalke