From dd337e23fccf2d16925bce8a1a4bc72ae943a564 Mon Sep 17 00:00:00 2001 From: Travis Walker Date: Tue, 6 Aug 2024 06:53:20 -0700 Subject: [PATCH] Fix Pre-release Regression: Correct JSON Web Key (JWK) Encoding for RSA Public Key Export (#4878) * Revert JWK format * Update src/client/Microsoft.Identity.Client/AuthScheme/PoP/InMemoryCryptoProvider.cs Co-authored-by: Gladwin Johnson <90415114+gladjohn@users.noreply.github.com> * Adding JWK test disabling failing test --------- Co-authored-by: trwalke Co-authored-by: Gladwin Johnson <90415114+gladjohn@users.noreply.github.com> --- .../AuthScheme/PoP/InMemoryCryptoProvider.cs | 5 ++--- .../pop/PoPTests.cs | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/src/client/Microsoft.Identity.Client/AuthScheme/PoP/InMemoryCryptoProvider.cs b/src/client/Microsoft.Identity.Client/AuthScheme/PoP/InMemoryCryptoProvider.cs index 457b86929e..175015dfb4 100644 --- a/src/client/Microsoft.Identity.Client/AuthScheme/PoP/InMemoryCryptoProvider.cs +++ b/src/client/Microsoft.Identity.Client/AuthScheme/PoP/InMemoryCryptoProvider.cs @@ -56,9 +56,8 @@ public byte[] Sign(byte[] payload) /// private static string ComputeCanonicalJwk(RSAParameters rsaPublicKey) { - return $@"{{""{JsonWebKeyParameterNames.E}"":""{Base64UrlHelpers.Encode(rsaPublicKey.Exponent)}"", - ""{JsonWebKeyParameterNames.Kty}"":""{JsonWebAlgorithmsKeyTypes.RSA}"", - ""{JsonWebKeyParameterNames.N}"":""{Base64UrlHelpers.Encode(rsaPublicKey.Modulus)}""}}"; + //Important: This format cannot be modified as it needs to be the same as what is used in the service when calculating hashes. + return $@"{{""{JsonWebKeyParameterNames.E}"":""{Base64UrlHelpers.Encode(rsaPublicKey.Exponent)}"",""{JsonWebKeyParameterNames.Kty}"":""{JsonWebAlgorithmsKeyTypes.RSA}"",""{JsonWebKeyParameterNames.N}"":""{Base64UrlHelpers.Encode(rsaPublicKey.Modulus)}""}}"; } /// diff --git a/tests/Microsoft.Identity.Test.Unit/pop/PoPTests.cs b/tests/Microsoft.Identity.Test.Unit/pop/PoPTests.cs index 42a22aa975..075f6c1f4d 100644 --- a/tests/Microsoft.Identity.Test.Unit/pop/PoPTests.cs +++ b/tests/Microsoft.Identity.Test.Unit/pop/PoPTests.cs @@ -31,6 +31,8 @@ using Microsoft.VisualStudio.TestTools.UnitTesting; using Newtonsoft.Json.Linq; using NSubstitute; +using JsonWebAlgorithmsKeyTypes = Microsoft.Identity.Client.AuthScheme.PoP.JsonWebAlgorithmsKeyTypes; +using JsonWebKeyParameterNames = Microsoft.Identity.Client.AuthScheme.PoP.JsonWebKeyParameterNames; namespace Microsoft.Identity.Test.Unit.Pop { @@ -678,5 +680,21 @@ public async Task TokenGenerationAndValidation_Async() AssertSingedHttpRequestClaims(provider, claims); } } + + [TestMethod] + public void ValidateCanonicalJwkFormat() + { + // Arrange + var provider = PoPProviderFactory.GetOrCreateProvider(); + var actualCanonicaljwk = provider.CannonicalPublicKeyJwk; + + // Act and Assert + + // Parse the JWK to get the RSA parameters so that we can create a new canonical JWK in expected format + var jsonWebKey = JsonWebKey.Create(actualCanonicaljwk); + var expectedCanonicalJwk = $@"{{""{JsonWebKeyParameterNames.E}"":""{jsonWebKey.E}"",""{JsonWebKeyParameterNames.Kty}"":""{JsonWebAlgorithmsKeyTypes.RSA}"",""{JsonWebKeyParameterNames.N}"":""{jsonWebKey.N}""}}"; + + Assert.AreEqual(expectedCanonicalJwk, actualCanonicaljwk); + } } }