Issue #231 Support client_assertion for OIDC auth flow #275
Conversation
For hybrid/code flow, client secret or client assertion is required to redeem the authorization code for access token. This fix enables user to use client assertion. 1. Added `thumbprint` and `privatePEMKey` options, so user can use the client assertion flow. However, client secret flow takes precedence. We will use client secret flow if `clientSecret` option is provided by user, regardless the values of `thumbprint` and `privatePEMKey`. 2. Added unit tests and end to end tests for client assertion flow.
| if (options.responseType !== 'id_token') { | ||
| if (options.isB2C && !options.clientSecret) { | ||
| // for B2C, clientSecret is required to redeem authorization code. | ||
| throw new Error('clientSecret is not provided.'); |
There was a problem hiding this comment.
Please add context in this error message indicating that the scenario is B2C.
| post_params['client_assertion'] = assertion; | ||
| }); | ||
|
|
||
| log.info('In _getAccessTokenBySecretOrAssertion: we created a client assertion: ' + post_params['client_assertion']); |
There was a problem hiding this comment.
recommend not logging the client assertion, just the thumbprint.
| @@ -144,6 +145,18 @@ var apply_test_parameters = (done) => { | |||
| hybrid_config_with_scope = JSON.parse(JSON.stringify(config_template)); | |||
| hybrid_config_with_scope.scope = ['email', 'profile', 'offline_access', 'https://graph.microsoft.com/mail.read']; | |||
|
|
|||
| // 6. Hybird flow using client assertion | |||
| hybrid_config_clientAssertion = JSON.parse(JSON.stringify(hybrid_config)); | |||
There was a problem hiding this comment.
is hybrid_config variable needed? could you use config_template?
There was a problem hiding this comment.
hybrid_config is needed since we also have code_config and implicit_config variables, for the three different flows.
| // 4. hybrid flow using client assertion with wrong thumbprint | ||
| hybrid_config_clientAssertion_wrong_thumbprint = JSON.parse(JSON.stringify(hybrid_config)); | ||
| hybrid_config_clientAssertion_wrong_thumbprint.thumbprint = 'wrongThumbprint'; | ||
| hybrid_config_clientAssertion_wrong_thumbprint.privatePEMKey = test_parameters.privatePEMKey; |
There was a problem hiding this comment.
is there a test for an invalid 'privatePEMKey' where the key is valid, but not registered with AzureAD?
| hybrid_config_clientAssertion.clientSecret = null; | ||
|
|
||
| // 7. Code flow using client assertion | ||
| code_config_clientAssertion = JSON.parse(JSON.stringify(code_config)); |
There was a problem hiding this comment.
is code_config variable needed? could you use config_template?
There was a problem hiding this comment.
It is needed. To get code_config, we make a copy of config_template, and change the responseType field to 'code'.
lovemaths
force-pushed
the
sijliu/assertion
branch
from
7507534 to
f2ee3d9
Compare
|
|
For hybrid/code flow, client secret or client assertion is required to redeem the authorization code for access token. This fix enables user to use client assertion.
thumbprintandprivatePEMKeyoptions, so user can use the client assertion flow. However, client secret flow takes precedence. We will use client secret flow ifclientSecretoption is provided by user, regardless the values ofthumbprintandprivatePEMKey.