Fix Pre-release Regression: Correct JSON Web Key (JWK) Encoding for R…

…SA Public Key Export (#4878) * Revert JWK format * Update src/client/Microsoft.Identity.Client/AuthScheme/PoP/InMemoryCryptoProvider.cs Co-authored-by: Gladwin Johnson <[email protected]> * Adding JWK test disabling failing test --------- Co-authored-by: trwalke <[email protected]> Co-authored-by: Gladwin Johnson <[email protected]>
AzureAD · Aug 6, 2024 · dd337e2 · dd337e2
1 parent 83725aa
commit dd337e2
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 3 deletions.
diff --git a/src/client/Microsoft.Identity.Client/AuthScheme/PoP/InMemoryCryptoProvider.cs b/src/client/Microsoft.Identity.Client/AuthScheme/PoP/InMemoryCryptoProvider.cs
@@ -56,9 +56,8 @@ public byte[] Sign(byte[] payload)
         /// </summary>
         private static string ComputeCanonicalJwk(RSAParameters rsaPublicKey)
         {
-            return $@"{{""{JsonWebKeyParameterNames.E}"":""{Base64UrlHelpers.Encode(rsaPublicKey.Exponent)}"",
-               ""{JsonWebKeyParameterNames.Kty}"":""{JsonWebAlgorithmsKeyTypes.RSA}"",
-               ""{JsonWebKeyParameterNames.N}"":""{Base64UrlHelpers.Encode(rsaPublicKey.Modulus)}""}}";
+            //Important: This format cannot be modified as it needs to be the same as what is used in the service when calculating hashes.
+            return $@"{{""{JsonWebKeyParameterNames.E}"":""{Base64UrlHelpers.Encode(rsaPublicKey.Exponent)}"",""{JsonWebKeyParameterNames.Kty}"":""{JsonWebAlgorithmsKeyTypes.RSA}"",""{JsonWebKeyParameterNames.N}"":""{Base64UrlHelpers.Encode(rsaPublicKey.Modulus)}""}}";
         }
 
         /// <summary>

diff --git a/tests/Microsoft.Identity.Test.Unit/pop/PoPTests.cs b/tests/Microsoft.Identity.Test.Unit/pop/PoPTests.cs
@@ -31,6 +31,8 @@
 using Microsoft.VisualStudio.TestTools.UnitTesting;
 using Newtonsoft.Json.Linq;
 using NSubstitute;
+using JsonWebAlgorithmsKeyTypes = Microsoft.Identity.Client.AuthScheme.PoP.JsonWebAlgorithmsKeyTypes;
+using JsonWebKeyParameterNames = Microsoft.Identity.Client.AuthScheme.PoP.JsonWebKeyParameterNames;
 
 namespace Microsoft.Identity.Test.Unit.Pop
 {
@@ -678,5 +680,21 @@ public async Task TokenGenerationAndValidation_Async()
                 AssertSingedHttpRequestClaims(provider, claims);
             }
         }
+
+        [TestMethod]
+        public void ValidateCanonicalJwkFormat()
+        {
+            // Arrange
+            var provider = PoPProviderFactory.GetOrCreateProvider();
+            var actualCanonicaljwk = provider.CannonicalPublicKeyJwk;
+
+            // Act and Assert
+
+            // Parse the JWK to get the RSA parameters so that we can create a new canonical JWK in expected format
+            var jsonWebKey = JsonWebKey.Create(actualCanonicaljwk);
+            var expectedCanonicalJwk = $@"{{""{JsonWebKeyParameterNames.E}"":""{jsonWebKey.E}"",""{JsonWebKeyParameterNames.Kty}"":""{JsonWebAlgorithmsKeyTypes.RSA}"",""{JsonWebKeyParameterNames.N}"":""{jsonWebKey.N}""}}";
+
+            Assert.AreEqual(expectedCanonicalJwk, actualCanonicaljwk);
+        }
     }
 }