Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add descriptive x5c comment to WithCertificate #3075

Merged
merged 3 commits into from
Jan 5, 2022
Merged

Add descriptive x5c comment to WithCertificate #3075

merged 3 commits into from
Jan 5, 2022

Conversation

pmaytak
Copy link
Contributor

@pmaytak pmaytak commented Dec 16, 2021
edited
Loading

Fixes #

Changes proposed in this request
Update X5C related comments in WithSendX5C and WithCertificate.

Testing

Performance impact

bgavrilMS
bgavrilMS reviewed Jan 4, 2022
View reviewed changes
src/client/Microsoft.Identity.Client/AppConfig/ConfidentialClientApplicationBuilder.cs Outdated
@@ -94,9 +94,15 @@ public ConfidentialClientApplicationBuilder WithCertificate(X509Certificate2 cer

/// <summary>
/// Sets the certificate associated with the application.
/// This method allows to specify if the x5c claim (public key of the certificate) should be sent to Azure AD.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. It's not the public key of the cert that's being sent, it's the certificate chain. Please reference https://datatracker.ietf.org/doc/html/rfc7517#section-4.7
  2. As far as I know, this is only available for 1st parties. This should be highlighted
  3. The URL is internal and we'll get flagged for posting internal stuff. Can you add or modify a page in our wiki instead where it just states "This is for 1st party Microsoft apps only. For details please see ..."

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. What's going to flag us? Even if it's aka.ms link, and not a direct link?
    So update aka.ms link to point to a new SNI wiki page which has a link to internal SNI doc?

Copy link
Member

@bgavrilMS bgavrilMS Jan 5, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An aka.ms link is fine, but not if it points to an internal doc. All aka.ms link that go onto the public docs must point to public pages. We started getting docs bugs because of this.

You can also point to AzureAD/microsoft-authentication-library-for-python#60

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created a wiki: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Subject-Name-and-Issuer-(SNI)-Authentication

@bgavrilMS
Copy link
Member

Approved with comments. Main thing is to highlight that X5C is for 1st party only (despite the misleading internal docs)

@pmaytak pmaytak merged commit c19f5ba into master Jan 5, 2022
@pmaytak pmaytak deleted the pmaytak/sendx5c-comments branch January 5, 2022 22:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bgavrilMS bgavrilMS bgavrilMS approved these changes

@SameerK-MSFT SameerK-MSFT SameerK-MSFT approved these changes

@trwalke trwalke Awaiting requested review from trwalke

@gladjohn gladjohn Awaiting requested review from gladjohn

@jmprieur jmprieur Awaiting requested review from jmprieur

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pmaytak @bgavrilMS @SameerK-MSFT