Azure · JonathanCrd · Oct 11, 2024 · Sep 17, 2024 · Sep 17, 2024 · Sep 17, 2024
@@ -6,6 +6,7 @@
 
 - Added support for service API version `7.6-preview.1`.
 - Added new methods `StartPreRestoreAsync`, `StartPreRestore`, `StartPreBackupAsync`, and `StartPreBackupAsync` to the `KeyVaultBackupClient`.
+- Support for Continuous Access Evaluation (CAE).
 
 ### Breaking Changes
 

@@ -3,6 +3,7 @@
 ## 4.7.0-beta.1 (Unreleased)
 
 ### Features Added
+- Support for Continuous Access Evaluation (CAE).
 
 ### Breaking Changes
 

@@ -3,6 +3,7 @@
 ## 4.7.0-beta.1 (Unreleased)
 
 ### Features Added
+- Support for Continuous Access Evaluation (CAE).
 
 ### Breaking Changes
 

@@ -3,6 +3,7 @@
 ## 4.7.0-beta.1 (Unreleased)
 
 ### Features Added
+- Support for Continuous Access Evaluation (CAE).
 
 ### Breaking Changes
 

@@ -199,6 +199,150 @@ public async Task ReauthenticatesWhenTenantChanged()
             Assert.AreEqual("secret-value", response.Value.Value);
         }
 
+        [Test]
+        public void GetClaimsFromChallengeHeaders()
+        {
+            MockResponse response401WithClaims = new MockResponse(401)
+                .WithHeader("WWW-Authenticate", @"Bearer realm="""", authorization_uri=""https://login.microsoftonline.com/common/oauth2/authorize"", error=""insufficient_claims"", claims=""eyJhY2Nlc3NfdG9rZW4iOnsiYWNycyI6eyJlc3NlbnRpYWwiOnRydWUsInZhbHVlIjoiY3AxIn19fQ==""");
+            Assert.AreEqual(ChallengeBasedAuthenticationPolicy.getDecodedClaimsParameter("insufficient_claims", response401WithClaims), @"{""access_token"":{""acrs"":{""essential"":true,""value"":""cp1""}}}");
+
+            MockResponse response401 = new MockResponse(401)
+                    .WithHeader("WWW-Authenticate", @"Bearer authorization=""https://login.windows.net/de763a21-49f7-4b08-a8e1-52c8fbc103b4"", resource=""https://vault.azure.net""");
+            Assert.IsNull(ChallengeBasedAuthenticationPolicy.getDecodedClaimsParameter(null, response401));
+        }
+
+        [Test]
+        public void HandlesCaeChallenges(){
+            MockTransport keyVaultTransport = new(new[]
+            {
+                // Initial scope challlenge
+                new MockResponse(401)
+                    .WithHeader("WWW-Authenticate", @"Bearer authorization=""https://login.windows.net/de763a21-49f7-4b08-a8e1-52c8fbc103b4"", resource=""https://vault.azure.net"""),
+
+                // CAE Challenge
+                new MockResponse(401)
+                    .WithHeader("WWW-Authenticate", @"Bearer realm="""", authorization_uri=""https://login.microsoftonline.com/common/oauth2/authorize"", error=""insufficient_claims"", claims=""eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzI2MDc3NTk1In0sInhtc19jYWVlcnJvciI6eyJ2YWx1ZSI6IjEwMDEyIn19fQ=="""),
+
+                new MockResponse(200)
+                {
+                    ContentStream = new KeyVaultSecret("test-secret", "secret-value").ToStream(),
+                },
+            });
+
+            MockTransport credentialTransport = new(new[]
+            {
+                new MockResponse(200)
+                    .WithJson("""
+                    {
+                        "token_type": "Bearer",
+                        "expires_in": 3599,
+                        "resource": "https://vault.azure.net",
+                        "access_token": "ZGU3NjNhMjEtNDlmNy00YjA4LWE4ZTEtNTJjOGZiYzEwM2I0"
+                    }
+                    """),
+
+                new MockResponse(200)
+                    .WithJson("""
+                    {
+                        "token_type": "Bearer",
+                        "expires_in": 3599,
+                        "resource": "https://vault.azure.net",
+                        "access_token": "NzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3"
+                    }
+                    """),
+            });
+
+            SecretClient client = new(
+                VaultUri,
+                new MockCredential(credentialTransport),
+                new SecretClientOptions()
+                {
+                    Transport = keyVaultTransport,
+                });
+
+            Response<KeyVaultSecret> response = client.GetSecret("test-secret");
+            Assert.AreEqual(200, response.GetRawResponse().Status);
+            Assert.AreEqual("secret-value", response.Value.Value);
+        }
+
+        [Test]
+        public void ThrowsWithTwoConsecutiveCaeChallenges()
+        {
+            MockTransport keyVaultTransport = new(new[]
+            {
+                // Initial scope challlenge
+                new MockResponse(401)
+                    .WithHeader("WWW-Authenticate", @"Bearer authorization=""https://login.windows.net/de763a21-49f7-4b08-a8e1-52c8fbc103b4"", resource=""https://vault.azure.net"""),
+
+                // CAE Challenge
+                new MockResponse(401)
+                    .WithHeader("WWW-Authenticate", @"Bearer realm="""", authorization_uri=""https://login.microsoftonline.com/common/oauth2/authorize"", error=""insufficient_claims"", claims=""eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzI2MDc3NTk1In0sInhtc19jYWVlcnJvciI6eyJ2YWx1ZSI6IjEwMDEyIn19fQ=="""),
+
+                // Second CAE Challenge
+                new MockResponse(401)
+                    .WithHeader("WWW-Authenticate", @"Bearer realm="""", authorization_uri=""https://login.microsoftonline.com/common/oauth2/authorize"", error=""insufficient_claims"", claims=""eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzI2MDc3NTk1In0sInhtc19jYWVlcnJvciI6eyJ2YWx1ZSI6IjEwMDEyIn19fQ=="""),
+
+                new MockResponse(200)
+                {
+                    ContentStream = new KeyVaultSecret("test-secret", "secret-value").ToStream(),
+                },
+            });
+
+            MockTransport credentialTransport = new(new[]
+            {
+                new MockResponse(200)
+                    .WithJson("""
+                    {
+                        "token_type": "Bearer",
+                        "expires_in": 3599,
+                        "resource": "https://vault.azure.net",
+                        "access_token": "ZGU3NjNhMjEtNDlmNy00YjA4LWE4ZTEtNTJjOGZiYzEwM2I0"
+                    }
+                    """),
+
+                new MockResponse(200)
+                    .WithJson("""
+                    {
+                        "token_type": "Bearer",
+                        "expires_in": 3599,
+                        "resource": "https://vault.azure.net",
+                        "access_token": "NzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3"
+                    }
+                    """),
+
+                new MockResponse(200)
+                    .WithJson("""
+                    {
+                        "token_type": "Bearer",
+                        "expires_in": 3599,
+                        "resource": "https://vault.azure.net",
+                        "access_token": GUID.NewGuid().ToString()
+                    }
+                    """),
+            });
+
+            SecretClient client = new(
+                VaultUri,
+                new MockCredential(credentialTransport),
+                new SecretClientOptions()
+                {
+                    Transport = keyVaultTransport,
+                });
+
+            try
+            {
+                client.GetSecret("test-secret");
+            }
+            catch (RequestFailedException ex)
+            {
+                Assert.AreEqual(401, ex.Status);
+            }
+            catch (Exception ex)
+            {
+                Assert.Fail($"Expected RequestFailedException, but got {ex.GetType()}");
+            }
+        }
+
         private class MockTransportBuilder
         {
             private const string AuthorizationHeader = "Authorization";

@@ -6,6 +6,7 @@
 using System;
 using System.Collections.Concurrent;
 using System.Globalization;
+using System.Net;
 using System.Threading.Tasks;
 
 namespace Azure.Security.KeyVault
@@ -51,7 +52,7 @@ private async ValueTask AuthorizeRequestInternal(HttpMessage message, bool async
             if (_challenge != null)
             {
                 // We fetched the challenge from the cache, but we have not initialized the Scopes in the base yet.
-                var context = new TokenRequestContext(_challenge.Scopes, parentRequestId: message.Request.ClientRequestId, tenantId: _challenge.TenantId);
+                var context = new TokenRequestContext(_challenge.Scopes, parentRequestId: message.Request.ClientRequestId, tenantId: _challenge.TenantId, isCaeEnabled: true);
                 if (async)
                 {
                     await AuthenticateAndAuthorizeRequestAsync(message, context).ConfigureAwait(false);
@@ -84,15 +85,40 @@ protected override ValueTask<bool> AuthorizeRequestOnChallengeAsync(HttpMessage
         protected override bool AuthorizeRequestOnChallenge(HttpMessage message)
             => AuthorizeRequestOnChallengeAsyncInternal(message, false).EnsureCompleted();
 
+        /// <summary>
+        /// Gets the claims parameter from the challenge response.
+        /// If there are no claims, returns null.
+        /// </summary>
+        /// <param name="error">The error message from the service.</param>
+        /// <param name="response">The response from the service which contains the headers.</param>
+        /// <returns>A string with the decoded claims if present, otherwise null</returns>
+        internal static string getDecodedClaimsParameter(string error, Response response)
+        {
+            // According to docs https://learn.microsoft.com/en-us/entra/identity-platform/claims-challenge?tabs=dotnet#claims-challenge-header-format,
+            // the error message must be "insufficient_claims" when a claims challenge should be generated.
+            if (error == "insufficient_claims")
+            {
+                return AuthorizationChallengeParser.GetChallengeParameterFromResponse(response, "Bearer", "claims") switch
+                {
+                    { Length: 0 } => null,
+                    string enc => System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(enc))
+                };
+            }
+
+            return null;
+        }
+
         private async ValueTask<bool> AuthorizeRequestOnChallengeAsyncInternal(HttpMessage message, bool async)
         {
             if (message.Request.Content == null && message.TryGetProperty(KeyVaultStashedContentKey, out var content))
             {
                 message.Request.Content = content as RequestContent;
             }
 
+            string error = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "error");
             string authority = GetRequestAuthority(message.Request);
             string scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "resource");
+
             if (scope != null)
             {
                 scope += "/.default";
@@ -102,6 +128,15 @@ private async ValueTask<bool> AuthorizeRequestOnChallengeAsyncInternal(HttpMessa
                 scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "scope");
             }
 
+            // Handle CAE Challenges
+            string claims = getDecodedClaimsParameter(error, message.Response);
+            if (claims != null)
+            {
+                // Get the scope from the cache
+                s_challengeCache.TryGetValue(authority, out _challenge);
+                scope = _challenge.Scopes[0];
+            }
+
             if (scope is null)
             {
                 if (s_challengeCache.TryGetValue(authority, out _challenge))
@@ -140,7 +175,7 @@ private async ValueTask<bool> AuthorizeRequestOnChallengeAsyncInternal(HttpMessa
                 s_challengeCache[authority] = _challenge;
             }
 
-            var context = new TokenRequestContext(_challenge.Scopes, parentRequestId: message.Request.ClientRequestId, tenantId: _challenge.TenantId);
+            var context = new TokenRequestContext(_challenge.Scopes, parentRequestId: message.Request.ClientRequestId, tenantId: _challenge.TenantId, isCaeEnabled: true, claims: claims);
             if (async)
             {
                 await AuthenticateAndAuthorizeRequestAsync(message, context).ConfigureAwait(false);
@@ -153,6 +188,81 @@ private async ValueTask<bool> AuthorizeRequestOnChallengeAsyncInternal(HttpMessa
             return true;
         }
 
+        /// <inheritdoc />
+        public override ValueTask ProcessAsync(HttpMessage message, ReadOnlyMemory<HttpPipelinePolicy> pipeline)
+        {
+            return ProcessAsyncInternal(message, pipeline, true);
+        }
+
+        /// <inheritdoc />
+        public override void Process(HttpMessage message, ReadOnlyMemory<HttpPipelinePolicy> pipeline)
+        {
+            ProcessAsyncInternal(message, pipeline, false).EnsureCompleted();
+        }
+
+        private async ValueTask ProcessAsyncInternal(HttpMessage message, ReadOnlyMemory<HttpPipelinePolicy> pipeline, bool async)
+        {
+            if (message.Request.Uri.Scheme != Uri.UriSchemeHttps)
+            {
+                throw new InvalidOperationException("Bearer token authentication is not permitted for non TLS protected (https) endpoints.");
+            }
+
+            if (async)
+            {
+                await AuthorizeRequestAsync(message).ConfigureAwait(false);
+                await ProcessNextAsync(message, pipeline).ConfigureAwait(false);
+            }
+            else
+            {
+                AuthorizeRequest(message);
+                ProcessNext(message, pipeline);
+            }
+
+            // Check if we have received a challenge or we have not yet issued the first request.
+            if (message.Response.Status == (int)HttpStatusCode.Unauthorized && message.Response.Headers.Contains(HttpHeader.Names.WwwAuthenticate))
+            {
+                // Attempt to get the TokenRequestContext based on the challenge.
+                // If we fail to get the context, the challenge was not present or invalid.
+                // If we succeed in getting the context, authenticate the request and pass it up the policy chain.
+                if (async)
+                {
+                    if (await AuthorizeRequestOnChallengeAsync(message).ConfigureAwait(false))
+                    {
+                        await ProcessNextAsync(message, pipeline).ConfigureAwait(false);
+                    }
+                }
+                else
+                {
+                    if (AuthorizeRequestOnChallenge(message))
+                    {
+                        ProcessNext(message, pipeline);
+                    }
+                }
+
+                // Handle the scenario in which we get a CAE challenge back.
+                if (message.Response.Status == (int)HttpStatusCode.Unauthorized
+                    && message.Response.Headers.Contains(HttpHeader.Names.WwwAuthenticate)
+                    && AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "claims") != null)
+                {
+                    if (async)
+                    {
+                        if (await AuthorizeRequestOnChallengeAsync(message).ConfigureAwait(false))
+                        {
+                            await ProcessNextAsync(message, pipeline).ConfigureAwait(false);
+                        }
+                    }
+                    else
+                    {
+                        if (AuthorizeRequestOnChallenge(message))
+                        {
+                            ProcessNext(message, pipeline);
+                        }
+                    }
+                }
+                // If we get a second CAE challenge, an unlikely scenario, we do not attempt to re-authenticate.
+            }
+        }
+
         internal class ChallengeParameters
         {
             internal ChallengeParameters(Uri authorizationUri, string[] scopes)