Adding sendX5C api to the acquire token by refresh token and auth code flows for confidential clients to enable SN+I. (#1492)

Author: trwalke

src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenByAuthorizationCodeParameterBuilder.cs

@@ -66,6 +66,24 @@ internal override Task<AuthenticationResult> ExecuteInternalAsync(CancellationTo
         {
             return ConfidentialClientApplicationExecutor.ExecuteAsync(CommonParameters, Parameters, cancellationToken);
         }
+
+        /// <summary>
+        /// Specifies if the x5c claim (public key of the certificate) should be sent to the STS.
+        /// Sending the x5c enables application developers to achieve easy certificate roll-over in Azure AD:
+        /// this method will send the public certificate to Azure AD along with the token request,
+        /// so that Azure AD can use it to validate the subject name based on a trusted issuer policy.
+        /// This saves the application admin from the need to explicitly manage the certificate rollover
+        /// (either via portal or powershell/CLI operation)
+        /// </summary>
+        /// <param name="withSendX5C"><c>true</c> if the x5c should be sent. Otherwise <c>false</c>.
+        /// The default is <c>false</c></param>
+        /// <returns>The builder to chain the .With methods</returns>
+        public AcquireTokenByAuthorizationCodeParameterBuilder WithSendX5C(bool withSendX5C)
+        {
+            CommonParameters.AddApiTelemetryFeature(ApiTelemetryFeature.WithSendX5C);
+            Parameters.SendX5C = withSendX5C;
+            return this;
+        }
     }
 #endif
 }

src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenByRefreshTokenParameterBuilder.cs

@@ -53,5 +53,26 @@ internal override ApiEvent.ApiIds CalculateApiEventId()
         {
             return ApiEvent.ApiIds.AcquireTokenByRefreshToken;
         }
+
+#if !ANDROID_BUILDTIME && !iOS_BUILDTIME && !WINDOWS_APP_BUILDTIME && !MAC_BUILDTIME // Hide on mobile platforms
+
+        /// <summary>
+        /// Specifies if the x5c claim (public key of the certificate) should be sent to the STS.
+        /// Sending the x5c enables application developers to achieve easy certificate roll-over in Azure AD:
+        /// this method will send the public certificate to Azure AD along with the token request,
+        /// so that Azure AD can use it to validate the subject name based on a trusted issuer policy.
+        /// This saves the application admin from the need to explicitly manage the certificate rollover
+        /// (either via portal or powershell/CLI operation)
+        /// </summary>
+        /// <param name="withSendX5C"><c>true</c> if the x5c should be sent. Otherwise <c>false</c>.
+        /// The default is <c>false</c></param>
+        /// <returns>The builder to chain the .With methods</returns>
+        public AcquireTokenByRefreshTokenParameterBuilder WithSendX5C(bool withSendX5C)
+        {
+            CommonParameters.AddApiTelemetryFeature(ApiTelemetryFeature.WithSendX5C);
+            Parameters.SendX5C = withSendX5C;
+            return this;
+        }
+#endif
     }
 }

src/client/Microsoft.Identity.Client/ApiConfig/Executors/ClientApplicationBaseExecutor.cs

@@ -64,6 +64,8 @@ public async Task<AuthenticationResult> ExecuteAsync(
 
             requestContext.Logger.Info(LogMessages.UsingXScopesForRefreshTokenRequest(commonParameters.Scopes.Count()));
 
+            requestParameters.SendX5C = refreshTokenParameters.SendX5C;
+
             var handler = new ByRefreshTokenRequest(ServiceBundle, requestParameters, refreshTokenParameters);
             return await handler.RunAsync(CancellationToken.None).ConfigureAwait(false);
         }

src/client/Microsoft.Identity.Client/ApiConfig/Executors/ConfidentialClientExecutor.cs

@@ -33,6 +33,7 @@ public async Task<AuthenticationResult> ExecuteAsync(
                 commonParameters,
                 requestContext,
                 _confidentialClientApplication.UserTokenCacheInternal);
+            requestParams.SendX5C = authorizationCodeParameters.SendX5C;
 
             var handler = new AuthorizationCodeRequest(
                 ServiceBundle,

src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenByAuthorizationCodeParameters.cs

@@ -10,6 +10,8 @@ internal class AcquireTokenByAuthorizationCodeParameters : IAcquireTokenParamete
     {
         public string AuthorizationCode { get; set; }
 
+        public bool SendX5C { get; set; }
+
         public void LogParameters(ICoreLogger logger)
         {
         }

src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenByRefreshTokenParameters.cs

@@ -10,6 +10,8 @@ internal class AcquireTokenByRefreshTokenParameters : IAcquireTokenParameters
     {
         public string RefreshToken { get; set; }
 
+        public bool SendX5C { get; set; }
+
         public void LogParameters(ICoreLogger logger)
         {
         }

tests/Microsoft.Identity.Test.Unit.net45/PublicApiTests/ClientCredentialWithCertTest.cs

@@ -189,6 +189,84 @@ public async Task JsonWebTokenWithX509PublicCertSendCertificateOnBehalfOfTestAsy
             }
         }
 
+        [TestMethod]
+        [Description("Test for client assertion with X509 public certificate using Auth code")]
+        public async Task JsonWebTokenWithX509PublicCertSendCertificateByAuthCodeTestAsync()
+        {
+            using (var harness = CreateTestHarness())
+            {
+                SetupMocks(harness.HttpManager);
+
+                var certificate = new X509Certificate2(
+                    ResourceHelper.GetTestResourceRelativePath("valid_cert.pfx"),
+                    TestConstants.DefaultPassword);
+
+                var app = ConfidentialClientApplicationBuilder
+                    .Create(TestConstants.ClientId)
+                    .WithAuthority(new System.Uri(ClientApplicationBase.DefaultAuthority), true)
+                    .WithRedirectUri(TestConstants.RedirectUri)
+                    .WithHttpManager(harness.HttpManager)
+                    .WithCertificate(certificate)
+                    .BuildConcrete();
+
+                var appCacheAccess = app.AppTokenCache.RecordAccess();
+                var userCacheAccess = app.UserTokenCache.RecordAccess();
+
+                var userAssertion = new UserAssertion(TestConstants.DefaultAccessToken);
+
+                //Check for x5c claim
+                harness.HttpManager.AddMockHandler(CreateTokenResponseHttpHandlerWithX5CValidation(false));
+                AuthenticationResult result = await app
+                    .AcquireTokenByAuthorizationCode(TestConstants.s_scope, TestConstants.DefaultAuthorizationCode)
+                    .WithSendX5C(true)
+                    .ExecuteAsync(CancellationToken.None)
+                    .ConfigureAwait(false);
+                Assert.IsNotNull(result.AccessToken);
+
+                appCacheAccess.AssertAccessCounts(0, 0);
+                userCacheAccess.AssertAccessCounts(0, 1);
+            }
+        }
+
+        [TestMethod]
+        [Description("Test for client assertion with X509 public certificate using acquire token by refresh token")]
+        public async Task JsonWebTokenWithX509PublicCertSendCertificateByRefreshTokenTestAsync()
+        {
+            using (var harness = CreateTestHarness())
+            {
+                SetupMocks(harness.HttpManager);
+
+                var certificate = new X509Certificate2(
+                    ResourceHelper.GetTestResourceRelativePath("valid_cert.pfx"),
+                    TestConstants.DefaultPassword);
+
+                var app = ConfidentialClientApplicationBuilder
+                    .Create(TestConstants.ClientId)
+                    .WithAuthority(new System.Uri(ClientApplicationBase.DefaultAuthority), true)
+                    .WithRedirectUri(TestConstants.RedirectUri)
+                    .WithHttpManager(harness.HttpManager)
+                    .WithCertificate(certificate)
+                    .BuildConcrete();
+
+                var appCacheAccess = app.AppTokenCache.RecordAccess();
+                var userCacheAccess = app.UserTokenCache.RecordAccess();
+
+                var userAssertion = new UserAssertion(TestConstants.DefaultAccessToken);
+
+                //Check for x5c claim
+                harness.HttpManager.AddMockHandler(CreateTokenResponseHttpHandlerWithX5CValidation(false));
+                AuthenticationResult result = await ((IByRefreshToken)app)
+                    .AcquireTokenByRefreshToken(TestConstants.s_scope, TestConstants.DefaultAuthorizationCode)
+                    .WithSendX5C(true)
+                    .ExecuteAsync(CancellationToken.None)
+                    .ConfigureAwait(false);
+                Assert.IsNotNull(result.AccessToken);
+
+                appCacheAccess.AssertAccessCounts(0, 0);
+                userCacheAccess.AssertAccessCounts(0, 1);
+            }
+        }
+
         [TestMethod]
         [Description("Test for acqureTokenSilent with X509 public certificate using sendCertificate")]
         public async Task JsonWebTokenWithX509PublicCertSendCertificateSilentTestAsync()