Fix MSAuth + x5c

Author: bgavrilMS

src/Microsoft.Identity.Web.TokenAcquisition/MsAuth10AtPop.cs

@@ -19,7 +19,8 @@ internal static AcquireTokenForClientParameterBuilder WithAtPop(
             X509Certificate2 clientCertificate,
             string popPublicKey,
             string jwkClaim,
-            string clientId)
+            string clientId,
+            bool sendX5C)
         {
             _ = Throws.IfNull(popPublicKey);
             _ = Throws.IfNull(jwkClaim);
@@ -31,10 +32,12 @@ internal static AcquireTokenForClientParameterBuilder WithAtPop(
                      clientCertificate,
                      data.RequestUri.AbsoluteUri,
                      jwkClaim,
-                     clientId);
+                     clientId, 
+                     sendX5C);
 
                  data.BodyParameters.Remove("client_assertion");
                  data.BodyParameters.Add("request", signedAssertion);
+
                  return Task.CompletedTask;
              });
 
@@ -45,7 +48,8 @@ internal static AcquireTokenForClientParameterBuilder WithAtPop(
             X509Certificate2 certificate,
             string audience,
             string jwkClaim,
-            string clientId)
+            string clientId,
+            bool sendX5C)
         {
             // no need to add exp, nbf as JsonWebTokenHandler will add them by default
             var claims = new Dictionary<string, object>()
@@ -57,12 +61,24 @@ internal static AcquireTokenForClientParameterBuilder WithAtPop(
                 { "pop_jwk", jwkClaim }
             };
 
+            var signingCredentials = new X509SigningCredentials(certificate);
             var securityTokenDescriptor = new SecurityTokenDescriptor
-            {
+            { 
                 Claims = claims,
-                SigningCredentials = new X509SigningCredentials(certificate)
+                SigningCredentials = signingCredentials
             };
 
+            if (sendX5C)
+            {
+                if (signingCredentials.Key is X509SecurityKey x509SecurityKey)
+                {
+                    string x5cValue = Convert.ToBase64String(x509SecurityKey.Certificate.GetRawCertData());
+
+                    // Does not seem to work?!
+                    securityTokenDescriptor.AdditionalHeaderClaims = new Dictionary<string, object>() { { "x5c", x5cValue } };
+                }
+            }
+
             var handler = new JsonWebTokenHandler();
             return handler.CreateToken(securityTokenDescriptor);
         }

src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs

@@ -435,7 +435,8 @@ public async Task<AuthenticationResult> GetAuthenticationResultForAppAsync(
                             application.AppConfig.ClientCredentialCertificate,
                             tokenAcquisitionOptions.PopPublicKey!,
                             tokenAcquisitionOptions.PopClaim!,
-                            application.AppConfig.ClientId);
+                            application.AppConfig.ClientId,
+                            mergedOptions.SendX5C);
                     }
                 }
             }

tests/Microsoft.Identity.Web.Test.Common/Mocks/MockHttpMessageHandler.cs

@@ -12,7 +12,7 @@ namespace Microsoft.Identity.Web.Test.Common.Mocks
 {
     public class MockHttpMessageHandler : HttpMessageHandler
     {
-        public Func<MockHttpMessageHandler, MockHttpMessageHandler> ReplaceMockHttpMessageHandler;
+        public Func<MockHttpMessageHandler, MockHttpMessageHandler> ReplaceMockHttpMessageHandler { get; set; }
 
 #pragma warning disable CS8618 // Non-nullable field must contain a non-null value when exiting constructor. Consider declaring as nullable.
         public MockHttpMessageHandler()
@@ -53,14 +53,17 @@ protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage reques
             if (uri.AbsoluteUri.Contains("/discovery/instance"))
 #endif
             {
-                ReplaceMockHttpMessageHandler(this);
-
-                var responseMessage = new HttpResponseMessage(HttpStatusCode.OK)
+                if (ReplaceMockHttpMessageHandler != null)
                 {
-                    Content = new StringContent(TestConstants.DiscoveryJsonResponse),
-                };
+                    ReplaceMockHttpMessageHandler(this);
+
+                    var responseMessage = new HttpResponseMessage(HttpStatusCode.OK)
+                    {
+                        Content = new StringContent(TestConstants.DiscoveryJsonResponse),
+                    };
 
-                return Task.FromResult(responseMessage);
+                    return Task.FromResult(responseMessage);
+                }
             }
 
             if (!string.IsNullOrEmpty(ExpectedUrl))

tests/Microsoft.Identity.Web.Test/MsAuth10AtPopTests.cs

@@ -3,29 +3,49 @@
 
 using System;
 using System.Security.Cryptography.X509Certificates;
+using System.Threading.Tasks;
 using Microsoft.Identity.Client;
 using Microsoft.Identity.Web.Test.Common;
+using Microsoft.Identity.Web.Test.Common.Mocks;
 using Xunit;
 
 namespace Microsoft.Identity.Web.Test
 {
     public class MsAuth10AtPopTests
     {
         [Fact]
-        public void MsAuth10AtPop_WithAtPop_ShouldPopulateBuilderWithProofOfPosessionKeyIdAndOnBeforeTokenRequestTest()
+        public async Task MsAuth10AtPop_WithAtPop_ShouldPopulateBuilderWithProofOfPosessionKeyIdAndOnBeforeTokenRequestTestAsync()
         {
             // Arrange
-            var builder = ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId);
-            builder.WithExperimentalFeatures();
-            builder.WithClientSecret(TestConstants.ClientSecret);
-            var app = builder.Build();
-            var clientCertificate = new X509Certificate2(new byte[0]);
+
+            MockHttpClientFactory mockHttpClientFactory = new MockHttpClientFactory();
+            var tokenHandler = MockHttpCreator.CreateClientCredentialTokenHandler();
+            mockHttpClientFactory.AddMockHandler(MockHttpCreator.CreateInstanceDiscoveryMockHandler());
+            mockHttpClientFactory.AddMockHandler(tokenHandler);
+
+            var certificateDescription = CertificateDescription.FromBase64Encoded(
+                TestConstants.CertificateX5cWithPrivateKey, 
+                TestConstants.CertificateX5cWithPrivateKeyPassword);
+            ICertificateLoader loader = new DefaultCertificateLoader();
+            loader.LoadIfNeeded(certificateDescription);
+
+            Assert.NotNull(certificateDescription.Certificate);
+
+            var app = ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
+                            .WithExperimentalFeatures()
+                            .WithCertificate(certificateDescription.Certificate)
+                            .WithHttpClientFactory(mockHttpClientFactory)
+                            .Build();
+
+            
             var popPublicKey = "pop_key";
             var jwkClaim = "jwk_claim";
             var clientId = "client_id";
 
             // Act
-            var result = MsAuth10AtPop.WithAtPop(app.AcquireTokenForClient(new[] { TestConstants.Scopes }), clientCertificate, popPublicKey, jwkClaim, clientId);
+            AuthenticationResult result = await app.AcquireTokenForClient(new[] { TestConstants.Scopes })
+                .WithAtPop(certificateDescription.Certificate, popPublicKey, jwkClaim, clientId, true)
+                .ExecuteAsync();
 
             // Assert
             Assert.NotNull(result);
@@ -41,7 +61,13 @@ public void MsAuth10AtPop_ThrowsWithNullPopKeyTest()
             var clientId = "client_id";
 
             // Act & Assert
-            Assert.Throws<ArgumentNullException>(() => MsAuth10AtPop.WithAtPop(app.AcquireTokenForClient(new[] { TestConstants.Scopes }), clientCertificate, string.Empty, jwkClaim, clientId));
+            Assert.Throws<ArgumentNullException>(() => MsAuth10AtPop.WithAtPop(
+                app.AcquireTokenForClient(new[] { TestConstants.Scopes }), 
+                clientCertificate, 
+                string.Empty,
+                jwkClaim, 
+                clientId, 
+                true));
         }
 
         [Fact]
@@ -55,7 +81,9 @@ public void MsAuth10AtPop_ThrowsWithNullJwkClaimTest()
 
             // Act & Assert
 #pragma warning disable CS8625 // Cannot convert null literal to non-nullable reference type.
-            Assert.Throws<ArgumentNullException>(() => MsAuth10AtPop.WithAtPop(app.AcquireTokenForClient(new[] { TestConstants.Scopes }), clientCertificate, popPublicKey, null, clientId));
+            Assert.Throws<ArgumentNullException>(() => MsAuth10AtPop.WithAtPop(
+                app.AcquireTokenForClient(new[] { TestConstants.Scopes }),
+                clientCertificate, popPublicKey, null, clientId, true));
 #pragma warning restore CS8625 // Cannot convert null literal to non-nullable reference type.
         }