[Feature Request] Web APIs accept Proof of Possession tokens
See original GitHub issueIs your feature request related to a problem? Please describe. Microsoft.IdentityModel now support Proof Of Possession (PoP = SignedHttpRequest). This is illustrated in the following sample https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/4.-Console-app-calls-web-API-with-PoP which contains a folder named Microsoft.Identity.Web.Future
See usage in 4.-Console-app-calls-web-API-with-PoP/TodoListService/Startup.cs#L23-L29
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddProtectedWebApi(Configuration)
.AddProtectedWebApiCallsProtectedWebApi(Configuration)
.AddPop(Configuration)
.AddInMemoryTokenCaches();
What needs to be done? Import in Microsoft.Identity.Web:
- Microsoft.Identity.Web.Future/SignedHttpRequest
- Microsoft.Identity.Web.Future/WebApiServiceCollectionExtensions.cs
- Add unit tests
Note: the other files are duplicates of existing files in MIcrosoft.Identity.Web as these are internal and Microsoft.Identity.Web.Future is not friend of Microsoft.Identity.Web
Issue Analytics
- State:
- Created 3 years ago
- Comments:6
Top Results From Across the Web
Proof-of-Possession (PoP) tokens
Learn how to acquire Proof-of-Possession tokens for public and confidential clients in MSAL.NET.
Read more >Proof-of-Possession Access Tokens
On the other hand, Proof-of-Possession (PoP) tokens are bound to the client that requested the token. This is also often called sender constraining....
Read more >Configure OAuth 2.0 Demonstrating Proof-of-Possession
On the Applications page, open the app. · Click Edit in General Settings. · Select the Require Demonstrating Proof of Possession (DPoP) header...
Read more >Securing APIs using ASP.NET Core and OAuth 2.0 DPoP
This article shows how an ASP.NET Core application can access an ASP.NET Core API using OAuth Demonstrating Proof-of-Possession (DPoP).
Read more >Illustrated DPoP (OAuth Access Token Security Enhancement)
This article explains a specification called “DPoP”, OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Can you please add Microsoft.Identity.Web.Future to Microsoft.Identity.Web or at least publish it as a nuget package? I’d like to use the POP Authentication Scheme it offers and don’t want to clone the library. Thanks! Here’s where I found the code: https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/4-Call-OwnApi-Pop/Microsoft.Identity.Web.Future
@jmprieur yes, probably, but maybe for next next release…like not 0.1.2, but 0.1.3, as we have several items for 0.1.2, unless you want to move that up, move something else out. my 2 cents.