MsAuth10AtPop part2

[jennyf19]

No description provided.

[bgavrilMS]

I guess this is "new POP" as defined by ESTS (as opposed to MsAuth10ATPOP)? I would add some comments here to make it clear.

Not critical: For "new POP" I would recommend that you use MSAL's higher level API WithProofOfPossession(config). Since you won't be letting MSAL generate the SHR, you can do this:

class CryptoProvider :  IPoPCryptoProvider 
{
      string CannonicalPublicKeyJwk { get; } => JwkClaim;
      string CryptographicAlgorithm { get; } => "RS256";  // RSA only
      public byte[] Sign(byte[] data) 
      { 
          throw new NotImplementedException(); // Wilson will generate the SHR
      }
}

PoPAuthenticationConfiguration config = new PoPAuthenticationConfiguration();
config.CryptoProvider = new CryptoProvider();
builder.WithProofOfPossesion(config);

Note that this implies that MSAL computes the key id based on the JWK, i.e. kid=hash(JWK). If you want to support JWK and kid provided by user, I think the code that you wrote is the way to go.

[bgavrilMS]

Also note that this is RSA only. If you need to support other algorithms such as ECD, we need to run a small test to see if another param needs to be exposed or not. In MSAL we decided to expose CryptographicAlgorithm but I don't know if this is needed when Wilson creates the SHR.

[bgavrilMS]

Also happy to hear how we can re-design the PoPAuthenticationConfiguration interface. The original design did not take into account Wilson creating the SHR. It works, but it's clunky...

[jennyf19]

@jmprieur said you synced off-line and are okay with this proposal, is that right?

[jmprieur]

@bgavrilMS
Would it be possible, when we use builder.WithProofOfPosessionKeyId(popPublicKey) that MSAL does not compute the signed assertion? (as it's not necessary)
I can create a GitHub issue in the MSAL.NET repo if you agree.

[jmprieur]

LGTM
Thanks @jennyf19

successfully tested