Design Document: Mutual TLS (mTLS) Proof-of-Possession (PoP) Tokens Implementation #5087
Conversation
| @@ -0,0 +1,192 @@ | |||
| # Overview | |||
|
|
|||
| Bearer tokens are vulnerable to theft. Proof-of-Possession (PoP) tokens mitigate this by binding tokens to a specific client certificate. mTLS PoP tokens enhance this security by using mutual TLS (mTLS) to ensure the token is tied to the certificate used for authentication. | |||
There was a problem hiding this comment.
When you say "the token is tied to the certificate used for authentication" Are you saying that the SNI cert to authenticate the app is also used to init the HTTP MTLS connection? Are you not able to use 2 different certs here?
|
|
||
| ##### Authority URL Validation | ||
|
|
||
| - Avoid using `/common` in the authority URL. Use a tenanted authority instead. |
There was a problem hiding this comment.
Should this also fail if using /consumers or /organizations?
There was a problem hiding this comment.
+1. Maybe not \consumers as that's an actual tenant. But yes to /organizations
|
Maybe you can add an example code snippet of what the app creation and token acquisition apis look like? |
|
I would maybe add a few more details to the image. Like, what is sent to ESTS to initialize this flow and acquire the token initially. What does ESTS return (what is special about the token). Things like that. |
|
|
||
| ## Task List | ||
|
|
||
| ### [EPIC 3127989](https://identitydivision.visualstudio.com/Engineering/_workitems/edit/3127989) - Public Preview - SDK support for MTLS-POP tokens for SN/I certificates |
| - Flow is applicable only to AAD and DSTS authorities. | ||
| - Unsupported authority types (e.g., B2C) will result in `MsalClientException` with the error `MsalError.InvalidAuthorityType`. | ||
|
|
||
| ##### Authority URL Validation |
There was a problem hiding this comment.
This paragraph is duplicate in the acceptance tests below.
|
|
||
| ##### Authority Type Validation | ||
|
|
||
| - Flow is applicable only to AAD and DSTS authorities. |
There was a problem hiding this comment.
Needs a paragraph around the endpoint used.
Mutual TLS (mTLS) Proof-of-Possession (PoP) Tokens Design Document
This pull request introduces a comprehensive design document for the implementation of mutual TLS (mTLS) Proof-of-Possession (PoP) tokens using Subject Name Issuer (SNI) certificates. The document outlines the security benefits, token flow, implementation details, and testing strategies for this feature.
Key Changes
Design and Implementation Details
WithMtlsProofOfPossession()API at the CCA request level, specifying the required configurations and validations for certificates, authority types, and Azure regions.Testing and Validation
Developer Guidance and Task List
WithMtlsProofOfPossession()feature.By highlighting that the design is based on the MSAL .NET implementation, this description provides context for reviewers and collaborators, indicating that the document leverages existing work and insights from the .NET version of the Microsoft Authentication Library.
Reference Documentation
For more detailed information on Proof-of-Possession (PoP) tokens implementation in MSAL .NET, you can refer to the MSAL .NET Pull Request:
Proof-of-Possession (PoP) tokens in MSAL .NET