BearerTokenAuthenticationPolicy handles CAE challenges (#46277)

Author: christothes

sdk/core/Azure.Core/CHANGELOG.md

@@ -7,6 +7,7 @@
 - `TokenRequestContext` added the `IsProofOfPossessionEnabled`, `ResourceRequestMethod`, and `ResourceRequestUri` properties to support Proof of Possession tokens ([45134](https://github.com/Azure/azure-sdk-for-net/pull/45134)).
 - `AccessToken` added the `TokenType` property to support distinguishing Bearer tokens from Proof of Possession (PoP) tokens ([45134](https://github.com/Azure/azure-sdk-for-net/pull/45134)).
 - Moved implementation of `Azure.AzureKeyCredential` into `System.ClientModel.ApiKeyCredential` and made `ApiKeyCredential` the base type for `AzureKeyCredential` ([#46128](https://github.com/Azure/azure-sdk-for-net/pull/46128)).
+- `BearerTokenAuthenticationPolicy` now will attempt to handle Continuous Access Evaluation (CAE) challenges, if present, by default ([#46277](https://github.com/Azure/azure-sdk-for-net/pull/46277)).
 
 ### Breaking Changes
 

sdk/core/Azure.Core/src/Diagnostics/AzureCoreEventSource.cs

@@ -35,6 +35,7 @@ internal sealed class AzureCoreEventSource : AzureEventSource
  private const int RequestRedirectBlockedEvent = 21;
  private const int RequestRedirectCountExceededEvent = 22;
  private const int PipelineTransportOptionsNotAppliedEvent = 23;
+ private const int FailedToDecodeCaeChallengeClaimsEvent = 24;
 
  private AzureCoreEventSource() : base(EventSourceName) { }
 
@@ -317,5 +318,20 @@ private static string FormatHeaders(IEnumerable<HttpHeader> headers, HttpMessage
  }
  return stringBuilder.ToString();
  }
+
+ [NonEvent]
+ public void FailedToDecodeCaeChallengeClaims(string? encodedClaims, Exception exception)
+ {
+ if (IsEnabled(EventLevel.Error, EventKeywords.None))
+ {
+ FailedToDecodeCaeChallengeClaims(encodedClaims, exception.ToString());
+ }
+ }
+
+ [Event(FailedToDecodeCaeChallengeClaimsEvent, Level = EventLevel.Error, Message = "BearerTokenAuthenticationPolicy Failed to decode CAE claims: '{0}'. Exception: {1}")]
+ public void FailedToDecodeCaeChallengeClaims(string? encodedClaims, string exception)
+ {
+ WriteEvent(FailedToDecodeCaeChallengeClaimsEvent, encodedClaims, exception);
+ }
  }
 }

sdk/core/Azure.Core/src/Pipeline/BearerTokenAuthenticationPolicy.cs

@@ -5,6 +5,7 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Net;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 using Azure.Core.Diagnostics;
@@ -71,7 +72,7 @@ public override void Process(HttpMessage message, ReadOnlyMemory<HttpPipelinePol
  /// <returns>The <see cref="ValueTask"/> representing the asynchronous operation.</returns>
  protected virtual ValueTask AuthorizeRequestAsync(HttpMessage message)
  {
- var context = new TokenRequestContext(_scopes, message.Request.ClientRequestId);
+ var context = new TokenRequestContext(_scopes, message.Request.ClientRequestId, isCaeEnabled: true);
  return AuthenticateAndAuthorizeRequestAsync(message, context);
  }
 
@@ -84,32 +85,74 @@ protected virtual ValueTask AuthorizeRequestAsync(HttpMessage message)
  /// <param name="message">The <see cref="HttpMessage"/> this policy would be applied to.</param>
  protected virtual void AuthorizeRequest(HttpMessage message)
  {
- var context = new TokenRequestContext(_scopes, message.Request.ClientRequestId);
+ var context = new TokenRequestContext(_scopes, message.Request.ClientRequestId, isCaeEnabled: true);
  AuthenticateAndAuthorizeRequest(message, context);
  }
 
  /// <summary>
  /// Executed in the event a 401 response with a WWW-Authenticate authentication challenge header is received after the initial request.
+ /// The default implementation will attempt to handle Continuous Access Evaluation (CAE) claims challenges.
  /// </summary>
  /// <remarks>Service client libraries may override this to handle service specific authentication challenges.</remarks>
  /// <param name="message">The <see cref="HttpMessage"/> to be authenticated.</param>
  /// <returns>A boolean indicating whether the request was successfully authenticated and should be sent to the transport.</returns>
- protected virtual ValueTask<bool> AuthorizeRequestOnChallengeAsync(HttpMessage message)
+ protected virtual async ValueTask<bool> AuthorizeRequestOnChallengeAsync(HttpMessage message)
  {
+ if (AuthorizationChallengeParser.IsCaeClaimsChallenge(message.Response) &&
+ TryGetTokenRequestContextForCaeChallenge(message, out var tokenRequestContext))
+ {
+ await AuthenticateAndAuthorizeRequestAsync(message, tokenRequestContext).ConfigureAwait(false);
+ return true;
+ }
+
  return default;
  }
 
  /// <summary>
  /// Executed in the event a 401 response with a WWW-Authenticate authentication challenge header is received after the initial request.
+ /// The default implementation will attempt to handle Continuous Access Evaluation (CAE) claims challenges.
  /// </summary>
  /// <remarks>Service client libraries may override this to handle service specific authentication challenges.</remarks>
  /// <param name="message">The <see cref="HttpMessage"/> to be authenticated.</param>
  /// <returns>A boolean indicating whether the request was successfully authenticated and should be sent to the transport.</returns>
  protected virtual bool AuthorizeRequestOnChallenge(HttpMessage message)
  {
+ if (AuthorizationChallengeParser.IsCaeClaimsChallenge(message.Response) &&
+ TryGetTokenRequestContextForCaeChallenge(message, out var tokenRequestContext))
+ {
+ AuthenticateAndAuthorizeRequest(message, tokenRequestContext);
+ return true;
+ }
  return false;
  }
 
+ internal bool TryGetTokenRequestContextForCaeChallenge(HttpMessage message, out TokenRequestContext tokenRequestContext)
+ {
+ string? decodedClaims = null;
+ string? encodedClaims = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "claims");
+ try
+ {
+ decodedClaims = encodedClaims switch
+ {
+ null => null,
+ { Length: 0 } => null,
+ string enc => Encoding.UTF8.GetString(Convert.FromBase64String(enc))
+ };
+ }
+ catch (FormatException ex)
+ {
+ AzureCoreEventSource.Singleton.FailedToDecodeCaeChallengeClaims(encodedClaims, ex.ToString());
+ }
+ if (decodedClaims == null)
+ {
+ tokenRequestContext = default;
+ return false;
+ }
+
+ tokenRequestContext = new TokenRequestContext(_scopes, message.Request.ClientRequestId, decodedClaims, isCaeEnabled: true);
+ return true;
+ }
+
  private async ValueTask ProcessAsync(HttpMessage message, ReadOnlyMemory<HttpPipelinePolicy> pipeline, bool async)
  {
  if (message.Request.Uri.Scheme != Uri.UriSchemeHttps)
@@ -385,7 +428,7 @@ public TokenRequestState(TokenRequestContext currentContext, TaskCompletionSourc
 
  public bool IsCurrentContextMismatched(TokenRequestContext context) =>
  (context.Scopes != null && !context.Scopes.AsSpan().SequenceEqual(CurrentContext.Scopes.AsSpan())) ||
- (context.Claims != null && !string.Equals(context.Claims, CurrentContext.Claims)) ||
+ !string.Equals(context.Claims, CurrentContext.Claims) ||
  (context.TenantId != null && !string.Equals(context.TenantId, CurrentContext.TenantId));
 
  public bool IsBackgroundTokenAvailable(DateTimeOffset now) =>

sdk/core/Azure.Core/src/Shared/AuthorizationChallengeParser.cs

@@ -13,6 +13,16 @@ namespace Azure.Core
  /// </summary>
  internal static class AuthorizationChallengeParser
  {
+ /// <summary>
+ /// Determines if the specified <see cref="HttpMessage"/> is a CAE claims challenge.
+ /// </summary>
+ /// <param name="response">The response containing a WWW-Authenticate header.</param>
+ /// <returns>True</returns>
+ public static bool IsCaeClaimsChallenge(Response response){
+ string? error = GetChallengeParameterFromResponse(response, "Bearer", "error");
+ return error == "insufficient_claims";
+ }
+
  /// <summary>
  /// Parses the specified parameter from a challenge hearder found in the specified <see cref="Response"/>.
  /// </summary>

sdk/core/Azure.Core/tests/BearerTokenAuthenticationPolicyTests.cs

@@ -940,6 +940,68 @@ public async Task TokenCacheCurrentTcsIsCancelledAndBackgroundTcsInitialized()
  await cache.GetAuthHeaderValueAsync(msg, ctx, IsAsync);
  }
 
+ [Test]
+ [TestCaseSource(nameof(CaeTestDetails))]
+ public async Task BearerTokenAuthenticationPolicy_CAE_TokenRevocation(string description, string challenge, int expectedResponseCode, string expectedClaims, string encodedClaims)
+ {
+ string claims = null;
+ int callCount = 0;
+
+ var transport = CreateMockTransport(req =>
+ {
+ if (callCount <= 1)
+ {
+ return challenge == null ? new(200) : new MockResponse(401).WithHeader("WWW-Authenticate", challenge);
+ }
+ else
+ {
+ return new(200);
+ }
+ });
+
+ var credential = new TokenCredentialStub((r, c) =>
+ {
+ claims = r.Claims;
+ Interlocked.Increment(ref callCount);
+ Assert.AreEqual(true, r.IsCaeEnabled);
+
+ return new(callCount.ToString(), DateTimeOffset.Now.AddHours(2));
+ }, IsAsync);
+ var policy = new BearerTokenAuthenticationPolicy(credential, "scope");
+
+ using AzureEventSourceListener listener = new((args, text) =>
+ {
+ TestContext.WriteLine(text);
+ if (args.EventName == "FailedToDecodeCaeChallengeClaims")
+ {
+ Assert.That(text, Does.Contain($"'{encodedClaims}'"));
+ }
+ }, System.Diagnostics.Tracing.EventLevel.Error);
+
+ var response = await SendGetRequest(transport, policy, uri: new("https://example.com/1/Original"));
+ Assert.AreEqual(expectedClaims, claims);
+ Assert.AreEqual(expectedResponseCode, response.Status);
+
+ var response2 = await SendGetRequest(transport, policy, uri: new("https://example.com/1/Original"));
+ if (expectedClaims != null)
+ {
+ Assert.IsNull(claims);
+ }
+ }
+
+ private static IEnumerable<object[]> CaeTestDetails()
+ {
+ yield return new object[] { "no challenge", null, 200, null, null };
+ yield return new object[] { "unexpected error value", """Bearer authorization_uri="https://login.windows.net/", error="invalid_token", claims="ey==" """, 401, null, "ey==" };
+ yield return new object[] { "unexpected error value", """Bearer authorization_uri="https://login.windows.net/", error="invalid_token", claims="ey==" """, 401, null, "ey==" };
+ yield return new object[] { "parsing error", """Bearer claims="not base64", error="insufficient_claims" """, 401, null, "not base64" };
+ yield return new object[] { "no padding", """Bearer error="insufficient_claims", authorization_uri="http://localhost", claims="ey" """, 401, null, "ey" };
+ yield return new object[] { "more parameters, different order", """Bearer realm="", authorization_uri="http://localhost", client_id="00000003-0000-0000-c000-000000000000", error="insufficient_claims", claims="ey==" """, 200, "{", "ey==" };
+ yield return new object[] { "more parameters, different order", """Bearer realm="", authorization_uri="http://localhost", client_id="00000003-0000-0000-c000-000000000000", error="insufficient_claims", claims="ey==" """, 200, "{", "ey==" };
+ yield return new object[] { "standard", """Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", error="insufficient_claims", claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzI2MDc3NTk1In0sInhtc19jYWVlcnJvciI6eyJ2YWx1ZSI6IjEwMDEyIn19fQ==" """, 200, """{"access_token":{"nbf":{"essential":true,"value":"1726077595"},"xms_caeerror":{"value":"10012"}}}""", "eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzI2MDc3NTk1In0sInhtc19jYWVlcnJvciI6eyJ2YWx1ZSI6IjEwMDEyIn19fQ==" };
+ yield return new object[] { "multiple challenges", """PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", nonce="ey==", Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", error_description="Continuous access evaluation resulted in challenge with result: InteractionRequired and code: TokenIssuedBeforeRevocationTimestamp", error="insufficient_claims", claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwgInZhbHVlIjoiMTcyNjI1ODEyMiJ9fX0=" """, 200, """{"access_token":{"nbf":{"essential":true, "value":"1726258122"}}}""", "eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwgInZhbHVlIjoiMTcyNjI1ODEyMiJ9fX0=" };
+ }
+
  private class ChallengeBasedAuthenticationTestPolicy : BearerTokenAuthenticationPolicy
  {
  public string TenantId { get; private set; }