Skip to content
This repository has been archived by the owner on Aug 28, 2023. It is now read-only.

Support client_asserton for OIDC auth flow #231

Closed
Huan9 opened this issue Oct 14, 2016 · 2 comments
Closed

Support client_asserton for OIDC auth flow #231

Huan9 opened this issue Oct 14, 2016 · 2 comments
Assignees
@lovemaths
Labels
done

Comments

@Huan9
Copy link

Huan9 commented Oct 14, 2016

We are using microsoft first party app as our AAD app to do auth. For all the first party app, we cannot use client_key to get access token, we are forced to use client assertion to get access tokens from Azure AD. => without support for client_assertion, our subscription linking scenario will get blocked.

More detail has been described here:

https://azure.microsoft.com/en-us/documentation/articles/guidance-multitenant-identity-client-assertion/

So basically, it will be ideal, if we can pass in our private key in the config and the library can help to generate the singed JWT client_assertion when doing the token exchange process.

P.S. Search client_assertion in below blogs, I think it help to understand how the flow works:
http://www.dushyantgill.com/blog/2015/05/23/developers-guide-to-auth-with-azure-resource-manager-api/

http://www.andrewconnell.com/blog/user-app-app-only-permissions-client-credentials-grant-flow-in-azure-ad-office-365-apis
@Huan9
Copy link
Author

Huan9 commented Oct 14, 2016

@lovemaths Thank you for the help for the other 3 feature requests. Hope you can help with this as well!

@lovemaths lovemaths self-assigned this Oct 15, 2016
@lovemaths lovemaths added this to the 3.0.1 milestone Oct 15, 2016
@lovemaths lovemaths added the P1 label Oct 15, 2016
@lovemaths lovemaths removed the P1 label Nov 1, 2016
lovemaths added a commit that referenced this issue Dec 23, 2016
@lovemaths
Issue #231 Support client_assertion for OIDC auth flow
8e8da08
lovemaths added a commit that referenced this issue Jan 3, 2017
@lovemaths
Issue #231 Support client_assertion for OIDC auth flow
5416948
lovemaths added a commit that referenced this issue Jan 4, 2017
@lovemaths
Issue #231 Support client_assertion for OIDC auth flow
4025dff 
For hybrid/code flow, client secret or client assertion is required to redeem the authorization code for access token. This fix enables user to use client assertion.

1. Added `thumbprint` and `privatePEMKey` options, so user can use the client assertion flow. However, client secret flow takes precedence. We will use client secret flow if `clientSecret` option is provided by user, regardless the values of `thumbprint` and `privatePEMKey`.
2. Added unit tests and end to end tests for client assertion flow.
lovemaths added a commit that referenced this issue Jan 6, 2017
@lovemaths
Merge pull request #275 from AzureAD/sijliu/assertion
3a55528 
Issue #231 Support client_assertion for OIDC auth flow
@lovemaths
Copy link
Contributor

@Huan9 We added this feature in release 3.0.4.

@brentschmaltz brentschmaltz modified the milestones: 3.0.4, 3.0.1 Feb 28, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@lovemaths lovemaths

Labels
done
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brentschmaltz @lovemaths @Huan9