Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Feature Request] Web APIs accept Proof of Possession tokens

See original GitHub issue

Is your feature request related to a problem? Please describe. Microsoft.IdentityModel now support Proof Of Possession (PoP = SignedHttpRequest). This is illustrated in the following sample https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/4.-Console-app-calls-web-API-with-PoP which contains a folder named Microsoft.Identity.Web.Future

See usage in 4.-Console-app-calls-web-API-with-PoP/TodoListService/Startup.cs#L23-L29

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddProtectedWebApi(Configuration)
                    .AddProtectedWebApiCallsProtectedWebApi(Configuration)
                    .AddPop(Configuration)
                    .AddInMemoryTokenCaches();

What needs to be done? Import in Microsoft.Identity.Web:

Note: the other files are duplicates of existing files in MIcrosoft.Identity.Web as these are internal and Microsoft.Identity.Web.Future is not friend of Microsoft.Identity.Web

Issue Analytics

State:
Created 3 years ago
Comments:6

Top GitHub Comments

1reaction

dpomBFcommented, Mar 4, 2021

Can you please add Microsoft.Identity.Web.Future to Microsoft.Identity.Web or at least publish it as a nuget package? I’d like to use the POP Authentication Scheme it offers and don’t want to clone the library. Thanks! Here’s where I found the code: https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/4-Call-OwnApi-Pop/Microsoft.Identity.Web.Future

1reaction

jennyf19commented, Apr 17, 2020

@jmprieur yes, probably, but maybe for next next release…like not 0.1.2, but 0.1.3, as we have several items for 0.1.2, unless you want to move that up, move something else out. my 2 cents.

Top Results From Across the Web

Proof-of-Possession (PoP) tokens

Learn how to acquire Proof-of-Possession tokens for public and confidential clients in MSAL.NET.

Proof-of-Possession Access Tokens

On the other hand, Proof-of-Possession (PoP) tokens are bound to the client that requested the token. This is also often called sender constraining....

Configure OAuth 2.0 Demonstrating Proof-of-Possession

On the Applications page, open the app. · Click Edit in General Settings. · Select the Require Demonstrating Proof of Possession (DPoP) header...

Securing APIs using ASP.NET Core and OAuth 2.0 DPoP

This article shows how an ASP.NET Core application can access an ASP.NET Core API using OAuth Demonstrating Proof-of-Possession (DPoP).

Illustrated DPoP (OAuth Access Token Security Enhancement)

This article explains a specification called “DPoP”, OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer.