Adding AT PoP skeleton (#2511)

* adding "-AT PoP" option to "Set-MgGraphOptions" ---------
microsoftgraph · Jul 10, 2024 · 28645f7 · 28645f7
1 parent b5143f8
commit 28645f7
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 5 deletions.
diff --git a/docs/authentication.md b/docs/authentication.md
@@ -116,6 +116,8 @@ Before using the provided `-AccessToken` to get Microsoft Graph resources, custo
 
 AT PoP is a security mechanism that binds an access token to a cryptographic key that only the intended recipient has. This prevents unauthorized use of the token by malicious actors. AT PoP enhances data protection, reduces token replay attacks, and enables fine-grained authorization policies.
 
+Note: AT PoP requires WAM to function.
+
 Microsoft Graph PowerShell module supports AT PoP in the following scenario:
 
 - To enable AT PoP on supported devices

diff --git a/src/Authentication/Authentication.Core/Microsoft.Graph.Authentication.Core.csproj b/src/Authentication/Authentication.Core/Microsoft.Graph.Authentication.Core.csproj
@@ -4,7 +4,7 @@
     <LangVersion>9.0</LangVersion>
     <TargetFrameworks>netstandard2.0;net6.0;net472</TargetFrameworks>
     <RootNamespace>Microsoft.Graph.PowerShell.Authentication.Core</RootNamespace>
-    <Version>2.18.0</Version>
+    <Version>2.12.0</Version>
   </PropertyGroup>
   <PropertyGroup>
     <EnableNETAnalyzers>true</EnableNETAnalyzers>

diff --git a/src/Authentication/Authentication.Core/Utilities/AuthenticationHelpers.cs b/src/Authentication/Authentication.Core/Utilities/AuthenticationHelpers.cs
@@ -3,6 +3,7 @@
 // ------------------------------------------------------------------------------
 using Azure.Core;
 using Azure.Core.Diagnostics;
+using Azure.Core.Pipeline;
 using Azure.Identity;
 using Azure.Identity.Broker;
 using Microsoft.Graph.Authentication;
@@ -86,6 +87,12 @@ private static bool IsWamSupported()
             return GraphSession.Instance.GraphOption.EnableWAMForMSGraph && SharedUtilities.IsWindowsPlatform();
         }
 
+        //Check to see if ATPoP is Supported
+        private static bool IsATPoPSupported()
+        {
+            return GraphSession.Instance.GraphOption.EnableATPoPForMSGraph;
+        }
+
         private static async Task<TokenCredential> GetClientSecretCredentialAsync(IAuthContext authContext)
         {
             if (authContext is null)
@@ -125,11 +132,45 @@ private static async Task<InteractiveBrowserCredential> GetInteractiveBrowserCre
                 var interactiveBrowserCredential = new InteractiveBrowserCredential(interactiveOptions);
                 if (IsWamSupported())
                 {
-                    authRecord = await Task.Run(() =>
+                    // Adding a scenario to account for Access Token Proof of Possession
+                    if (IsATPoPSupported())
                     {
-                        // Run the thread in MTA.
-                        return interactiveBrowserCredential.Authenticate(new TokenRequestContext(authContext.Scopes), cancellationToken);
-                    });
+                        // Logic to implement ATPoP Authentication
+                        authRecord = await Task.Run(() =>
+                        {
+                            var popTokenAuthenticationPolicy = new PopTokenAuthenticationPolicy(interactiveBrowserCredential as ISupportsProofOfPossession, $"https://graph.microsoft.com/.default");
+
+                            var pipelineOptions = new HttpPipelineOptions(new PopClientOptions()
+                            {
+                                Diagnostics = 
+                                {
+                                    IsLoggingContentEnabled = true,
+                                    LoggedHeaderNames = { "Authorization" }
+                                },
+                            });
+                            pipelineOptions.PerRetryPolicies.Add(popTokenAuthenticationPolicy);
+
+                            var _pipeline = HttpPipelineBuilder.Build(pipelineOptions, new HttpPipelineTransportOptions { ServerCertificateCustomValidationCallback = (_) => true });
+                            using var request = _pipeline.CreateRequest();
+                            request.Method = RequestMethod.Get;
+                            request.Uri.Reset(new Uri("https://20.190.132.47/beta/me"));
+                            var response = _pipeline.SendRequest(request, cancellationToken);
+                            var message = new HttpMessage(request, new ResponseClassifier());
+
+                            // Manually invoke the authentication policy's process method
+                            popTokenAuthenticationPolicy.ProcessAsync(message, ReadOnlyMemory<HttpPipelinePolicy>.Empty);
+                            // Run the thread in MTA.
+                            return interactiveBrowserCredential.Authenticate(new TokenRequestContext(authContext.Scopes), cancellationToken);
+                        });
+                    }
+                    else
+                    {
+                        authRecord = await Task.Run(() =>
+                        {
+                            // Run the thread in MTA.
+                            return interactiveBrowserCredential.Authenticate(new TokenRequestContext(authContext.Scopes), cancellationToken);
+                        });
+                    }
                 }
                 else
                 {
@@ -447,4 +488,7 @@ public static Task DeleteAuthRecordAsync()
             return Task.CompletedTask;
         }
     }
+    internal class PopClientOptions : ClientOptions
+    {
+    }
 }