Class PoPAuthenticationConfiguration
Details about the HTTP request and configuration properties used to construct a proof of possession request.
public class PoPAuthenticationConfiguration- Inheritance
-
PoPAuthenticationConfiguration
- Inherited Members
Remarks
POP tokens are signed by the process making the request. By default, MSAL will generate a key in memory. To use a hardware key or an external key, implement PopCryptoProvider.
Constructors
PoPAuthenticationConfiguration()
Creates a configuration using the default key management - an RSA key will be created in memory and rotated every 8h. Uses HttpMethod, HttpHost etc. to control which elements of the request should be included in the POP token.
public PoPAuthenticationConfiguration()Remarks
See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-signed-http-request-03#page-3 for details about signed HTTP requests.
PoPAuthenticationConfiguration(HttpRequestMessage)
Creates a configuration using the default key management, and which binds all the details of the HttpRequestMessage.
public PoPAuthenticationConfiguration(HttpRequestMessage httpRequestMessage)Parameters
httpRequestMessageHttpRequestMessage
Remarks
Currently only the HttpMethod (m), UrlHost (u) and UrlPath (p) are used to create the signed HTTP request - see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-signed-http-request-03#page-3
PoPAuthenticationConfiguration(Uri)
Creates a configuration using the default key management, and which binds only the Uri part of the HTTP request.
public PoPAuthenticationConfiguration(Uri requestUri)Parameters
requestUriUri
Remarks
The UrlHost (u) and UrlPath (p) are used to create the signed HTTP request - see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-signed-http-request-03#page-3
Properties
HttpHost
The URL host of the protected API. The "u" part of a signed HTTP request. This MAY include the port separated from the host by a colon in host:port format. Optional.
public string HttpHost { get; set; }Property Value
HttpMethod
The HTTP method ("GET", "POST" etc.) method that will be bound to the token. Leave null and the POP token will not be bound to the method. Corresponds to the "m" part of the a signed HTTP request. Optional.
public HttpMethod HttpMethod { get; set; }Property Value
Remarks
HttpPath
The "p" part of the signed HTTP request.
public string HttpPath { get; set; }Property Value
Nonce
If the protected resource (RP) requires use of a special nonce, they will publish it as part of the WWWAuthenticate header associated with a 401 HTTP response or as part of the AuthorityInfo header associated with 200 response. Set it here to make it part of the Signed HTTP Request part of the POP token.
public string Nonce { get; set; }Property Value
PopCryptoProvider
An extensibility point that allows developers to define their own key management.
Leave null and MSAL will use a default implementation, which generates an RSA key pair in memory and refreshes it every 8 hours.
Important note: if you want to change the key (e.g. rotate the key), you should create a new instance of this object,
as MSAL.NET will keep a thumbprint of keys in memory.
public IPoPCryptoProvider PopCryptoProvider { get; set; }Property Value
SignHttpRequest
Allows app developers to bypass the creation of the SignedHttpRequest envelope by setting this property to false. App developers can use a package like Microsoft.IdentityModel.Protocols.SignedHttpRequest to later create and sign the envelope.
public bool SignHttpRequest { get; set; }Property Value
Remarks
If set to false, you do not need to implement the Sign(byte[]) method when using custom keys.