Adding AT PoP skeleton (#2511)

* adding "-AT PoP" option to "Set-MgGraphOptions"

* Adding AT PoP skeleton

---------

Co-authored-by: Tim <[email protected]>
Co-authored-by: Peter Ombwa <[email protected]>
Co-authored-by: Peter Ombwa <[email protected]>
Co-authored-by: Mustafa Zengin <[email protected]>
Co-authored-by: Clément Notin <[email protected]>
Co-authored-by: Microsoft Graph DevX Tooling <[email protected]>
Co-authored-by: Vincent Biret <[email protected]>
Co-authored-by: Vincent Biret <[email protected]>
Co-authored-by: Subhajit Ray (from Dev Box) <[email protected]>

Author: 8 people

docs/authentication.md

@@ -116,6 +116,8 @@ Before using the provided `-AccessToken` to get Microsoft Graph resources, custo
 
 AT PoP is a security mechanism that binds an access token to a cryptographic key that only the intended recipient has. This prevents unauthorized use of the token by malicious actors. AT PoP enhances data protection, reduces token replay attacks, and enables fine-grained authorization policies.
 
+Note: AT PoP requires WAM to function.
+
 Microsoft Graph PowerShell module supports AT PoP in the following scenario:
 
 - To enable AT PoP on supported devices

src/Authentication/Authentication.Core/Microsoft.Graph.Authentication.Core.csproj

@@ -1,22 +1,22 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
   <Import Project="$(MSBuildThisFileDirectory)..\..\..\Repo.props" />
   <PropertyGroup>
     <LangVersion>9.0</LangVersion>
     <TargetFrameworks>netstandard2.0;net6.0;net472</TargetFrameworks>
     <RootNamespace>Microsoft.Graph.PowerShell.Authentication.Core</RootNamespace>
-    <Version>2.6.1</Version>
+    <Version>2.12.0</Version>
   </PropertyGroup>
   <PropertyGroup>
     <EnableNETAnalyzers>true</EnableNETAnalyzers>
     <EnforceCodeStyleInBuild>true</EnforceCodeStyleInBuild>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="1.11.0" />
-    <PackageReference Include="Azure.Identity.Broker" Version="1.0.0-beta.5" />
-    <PackageReference Include="Azure.Identity.BrokeredAuthentication" Version="1.0.0-beta.3" />
-    <PackageReference Include="Microsoft.Graph.Core" Version="3.0.9" />
-    <PackageReference Include="Microsoft.Identity.Client" Version="4.56.0" />
-    <PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.56.0" />
+    <PackageReference Include="Azure.Identity" Version="1.11.0-beta.1" />
+    <PackageReference Include="Azure.Core" Version="1.38.0" />
+    <PackageReference Include="Azure.Identity.Broker" Version="1.1.0-beta.1" />
+    <PackageReference Include="Microsoft.Graph.Core" Version="3.1.8" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.59.0" />
+    <PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.59.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
   </ItemGroup>
   <Target Name="CopyFiles" AfterTargets="Build">

src/Authentication/Authentication.Core/Utilities/AuthenticationHelpers.cs

@@ -3,6 +3,7 @@
 // ------------------------------------------------------------------------------
 using Azure.Core;
 using Azure.Core.Diagnostics;
+using Azure.Core.Pipeline;
 using Azure.Identity;
 using Azure.Identity.Broker;
 using Microsoft.Graph.Authentication;
@@ -86,6 +87,12 @@ private static bool IsWamSupported()
             return GraphSession.Instance.GraphOption.EnableWAMForMSGraph && SharedUtilities.IsWindowsPlatform();
         }
 
+        //Check to see if ATPoP is Supported
+        private static bool IsATPoPSupported()
+        {
+            return GraphSession.Instance.GraphOption.EnableATPoPForMSGraph;
+        }
+
         private static async Task<TokenCredential> GetClientSecretCredentialAsync(IAuthContext authContext)
         {
             if (authContext is null)
@@ -125,11 +132,29 @@ private static async Task<InteractiveBrowserCredential> GetInteractiveBrowserCre
                 var interactiveBrowserCredential = new InteractiveBrowserCredential(interactiveOptions);
                 if (IsWamSupported())
                 {
-                    authRecord = await Task.Run(() =>
+                    // Adding a scenario to account for Access Token Proof of Possession
+                    if (IsATPoPSupported())
                     {
-                        // Run the thread in MTA.
-                        return interactiveBrowserCredential.Authenticate(new TokenRequestContext(authContext.Scopes), cancellationToken);
-                    });
+                        // Logic to implement ATPoP Authentication
+                        var client = new PopClient(interactiveBrowserCredential, authContext, new PopClientOptions() 
+                        { 
+                            Diagnostics = 
+                            { 
+                                IsLoggingContentEnabled = true, 
+                                LoggedHeaderNames = { "Authorization" } 
+                            } 
+                        });
+                        //var response = client.Get(new Uri("https://20.190.132.47/beta/me"), CancellationToken.None);
+                        authRecord = client.GetAuthRecord();
+                    }
+                    else
+                    {
+                        authRecord = await Task.Run(() =>
+                        {
+                            // Run the thread in MTA.
+                            return interactiveBrowserCredential.Authenticate(new TokenRequestContext(authContext.Scopes), cancellationToken);
+                        });
+                    }
                 }
                 else
                 {

src/Authentication/Authentication.Core/Utilities/PopClient.cs

@@ -0,0 +1,88 @@
+using System;
+using System.IdentityModel;
+using System.Threading;
+using System.Threading.Tasks;
+using Azure;
+using Azure.Core;
+using Azure.Core.Pipeline;
+using Azure.Identity;
+using Azure.Identity.Broker;
+using Microsoft.Identity.Client.NativeInterop;
+
+namespace Microsoft.Graph.PowerShell.Authentication.Core.Utilities
+{
+    public class PopClient
+    {
+        private readonly HttpPipeline _pipeline;
+        private AuthenticationRecord _authenticationRecord;
+        private readonly InteractiveBrowserCredential _interactiveBrowserCredential;
+
+        public PopClient(TokenCredential credential, IAuthContext authContext, ClientOptions options = null)
+        {
+            //_interactiveBrowserCredential = (InteractiveBrowserCredential)credential;
+            _interactiveBrowserCredential = new InteractiveBrowserCredential(new InteractiveBrowserCredentialBrokerOptions(WindowHandleUtlities.GetConsoleOrTerminalWindow()));
+
+            if (!(credential is ISupportsProofOfPossession))
+            {
+                throw new ArgumentException("The provided TokenCredential does not support proof of possession.", nameof(credential));
+            }
+
+            var pipelineOptions = new HttpPipelineOptions(options);
+            pipelineOptions.PerRetryPolicies.Add(new InteractivePopTokenAuthenticationPolicy(_interactiveBrowserCredential, "https://graph.microsoft.com/.default", () => _authenticationRecord));
+
+            _pipeline = HttpPipelineBuilder.Build(pipelineOptions);
+        }
+
+        public async ValueTask<Response> GetAsync(Uri uri, CancellationToken cancellationToken = default)
+        {
+            using var request = _pipeline.CreateRequest();
+            request.Method = RequestMethod.Get;
+            request.Uri.Reset(uri);
+            return await _pipeline.SendRequestAsync(request, cancellationToken).ConfigureAwait(false);
+        }
+
+        public Response Get(Uri uri, CancellationToken cancellationToken = default)
+        {
+            using var request = _pipeline.CreateRequest();
+            request.Method = RequestMethod.Get;
+            request.Uri.Reset(uri);
+            return _pipeline.SendRequest(request, cancellationToken);
+        }
+
+        public async ValueTask<AuthenticationRecord> GetAuthRecordAsync()
+        {
+            _authenticationRecord ??= await _interactiveBrowserCredential.AuthenticateAsync();
+            return _authenticationRecord;
+        }
+
+        public AuthenticationRecord GetAuthRecord()
+        {
+            _authenticationRecord ??= _interactiveBrowserCredential.Authenticate();
+            return _authenticationRecord;
+        }
+    }
+
+    public class InteractivePopTokenAuthenticationPolicy : PopTokenAuthenticationPolicy
+    {
+        private readonly InteractiveBrowserCredential _interactiveBrowserCredential;
+        private readonly Func<AuthenticationRecord> _getAuthRecord;
+
+        public InteractivePopTokenAuthenticationPolicy(InteractiveBrowserCredential credential, string scope, Func<AuthenticationRecord> getAuthRecord)
+            : base(credential, scope)
+        {
+            _interactiveBrowserCredential = credential;
+            _getAuthRecord = getAuthRecord;
+        }
+
+        protected override ValueTask AuthorizeRequestAsync(HttpMessage message)
+        {
+            var authRecord = _getAuthRecord();
+            if (authRecord != null)
+            {
+                _interactiveBrowserCredential.AuthenticateAsync(new TokenRequestContext(new[] { "https://graph.microsoft.com/.default" })).ConfigureAwait(false);
+            }
+
+            return base.AuthorizeRequestAsync(message);
+        }
+    }
+}

src/Authentication/Authentication.Core/Utilities/PopClientOptions.cs

@@ -0,0 +1,2 @@
+using Azure.Core;
+public class PopClientOptions : ClientOptions { }