-
Notifications
You must be signed in to change notification settings - Fork 374
Proof Of Possession (PoP) tokens
This is a new feature introduced in MSAL 4.8. Currently it is supported only in .net 45 and for public client flows.
Bearer tokens are the norm in modern identity flows, however they are vulnerable to being stolen and used to access a protected resource.
Proof of Possession (PoP) tokens mitigate this threat via 2 mechanisms:
- they are bound to the user / machine that wants to access a protected resource, via a public / private key pair
- they are bound to the protected resource itself, i.e. a token that is used to access
GET https://contoso.com/transactionscannot be used to accessGET https://contoso.com/tranfer/100
For more details, see RFC 7800
// The PoP token will be bound to this user / machine and to `GET https://www.contoso.com/tranfers` (the query params are not bound)
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, new Uri("https://www.contoso.com/tranfers?user=me"));
var pca = PublicClientApplicationBuilder.Create(CLIENT_ID)
.WithExperimentalFeatures() // Currently POP is marked as an experimental feature
.Build();
await pca
.AcquireTokenInteractive (new[] { "scope"})
.WithProofOfPosession(request)
.ExecuteAsync()
.ConfigureAwait(false);
// An Authentication Header with the POP token will have been added by MSAL
(new HttpClient()).SendAsync(request);An RSA key pair of length 2048 is generated by MSAL and stored in a container named "com.microsoft.msal". Containers are a Windows feature. Only the logged in user can access this key. For more details please inspect the code
To use PoP, you first need to protect an API with PoP. More details in the wiki.
If you are writing a new API, you protected using PoP exclusively and require clients to generate PoP tokens. If you are upgrading an existing API, consider supporting both Bearer and PoP tokens for a while, to allow clients to migrate. MSAL supports requesting both Bearer and PoP tokens for the same resource.
We await questions and feedback on this feature. The next steps for this are:
- allow PoP tokens on other platforms, .NET Core in particular
- extend support on Confidential Client
- allow developers to bring their own keys, e.g. certificates
- protect the Refresh Tokens with the same technique, i.e. PoP refresh tokens.
- Home
- Why use MSAL.NET
- Is MSAL.NET right for me
- Scenarios
- Register your app with AAD
- Client applications
- Acquiring tokens
- MSAL samples
- Known Issues
- Acquiring a token for the app
- Acquiring a token on behalf of a user in Web APIs
- Acquiring a token by authorization code in Web Apps
- AcquireTokenInteractive
- WAM - the Windows broker
- .NET Core
- Maui Docs
- Custom Browser
- Applying an AAD B2C policy
- Integrated Windows Authentication for domain or AAD joined machines
- Username / Password
- Device Code Flow for devices without a Web browser
- ADFS support
- High Availability
- Regional
- Token cache serialization
- Logging
- Exceptions in MSAL
- Provide your own Httpclient and proxy
- Extensibility Points
- Clearing the cache
- Client Credentials Multi-Tenant guidance
- Performance perspectives
- Differences between ADAL.NET and MSAL.NET Apps
- PowerShell support
- Testing apps that use MSAL
- Experimental Features
- Proof of Possession (PoP) tokens
- Using in Azure functions
- Extract info from WWW-Authenticate headers
- SPA Authorization Code