Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Design Document: Mutual TLS (mTLS) Proof-of-Possession (PoP) Tokens Implementation #5087

Merged
merged 4 commits into from
Jan 24, 2025
Merged

Design Document: Mutual TLS (mTLS) Proof-of-Possession (PoP) Tokens Implementation #5087

merged 4 commits into from
Jan 24, 2025

Conversation

gladjohn
Copy link
Contributor

Mutual TLS (mTLS) Proof-of-Possession (PoP) Tokens Design Document

This pull request introduces a comprehensive design document for the implementation of mutual TLS (mTLS) Proof-of-Possession (PoP) tokens using Subject Name Issuer (SNI) certificates. The document outlines the security benefits, token flow, implementation details, and testing strategies for this feature.

Key Changes

Design and Implementation Details

  • Added an overview of mTLS PoP tokens and their compliance with RFC 8705, including a diagram outlining the mTLS PoP flow.
  • Detailed the certificate acquisition and token binding processes, explaining how tokens are bound to certificates used in mTLS connections.
  • Introduced the new WithMtlsProofOfPossession() API at the CCA request level, specifying the required configurations and validations for certificates, authority types, and Azure regions.

Testing and Validation

  • Provided a comprehensive list of tests to validate mTLS PoP tokens, including:
    • Certificate validation
    • Authority tests
    • Region validation
    • Token acquisition
    • Integration tests

Developer Guidance and Task List

  • Included detailed developer guidance for implementing the WithMtlsProofOfPossession() feature.
  • Created a task list for the public preview of SDK support for mTLS PoP tokens across different programming languages, including:
    • MSAL .NET
    • JAVA
    • NODE
    • PYTHON

By highlighting that the design is based on the MSAL .NET implementation, this description provides context for reviewers and collaborators, indicating that the document leverages existing work and insights from the .NET version of the Microsoft Authentication Library.

Reference Documentation

For more detailed information on Proof-of-Possession (PoP) tokens implementation in MSAL .NET, you can refer to the MSAL .NET Pull Request:

Proof-of-Possession (PoP) tokens in MSAL .NET

@gladjohn gladjohn requested a review from a team as a code owner January 16, 2025 19:37
@trwalke
Copy link
Member

trwalke commented Jan 17, 2025

Maybe you can add an example code snippet of what the app creation and token acquisition apis look like?

@trwalke
Copy link
Member

trwalke commented Jan 17, 2025

I would maybe add a few more details to the image. Like, what is sent to ESTS to initialize this flow and acquire the token initially. What does ESTS return (what is special about the token). Things like that.

trwalke
trwalke approved these changes Jan 17, 2025
View reviewed changes
Copy link
Member

@trwalke trwalke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks great @gladjohn

@gladjohn gladjohn force-pushed the gladjohn/sni_mini_spec branch from e6a1d52 to 234b04c Compare January 21, 2025 17:55
@gladjohn gladjohn merged commit 9c486cf into main Jan 24, 2025
1 of 4 checks passed
@gladjohn gladjohn deleted the gladjohn/sni_mini_spec branch January 24, 2025 00:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bgavrilMS bgavrilMS bgavrilMS approved these changes

@trwalke trwalke trwalke approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@gladjohn @trwalke @bgavrilMS @GladwinJohnson