BearerTokenAuthenticationPolicy should support CAE token revocation challenges by default

This feature entails adding CAE support for all clients lacking a custom challenge handler i.e., everyone except Key Vault and Storage. 

Adding support involves adding logic to your BearerTokenAuthenticationPolicy such that it does the following:
 - Detects when a CAE challenge is issued (401 response with a WWW-Authenticate header)
 - Parses the WWW-Authenticate header (format [here](https://learn.microsoft.com/entra/identity-platform/app-resilience-continuous-access-evaluation?tabs=dotnet#the-code))
   - validate that the `error` value is "insufficient_claims"
   - capture the `claims` value and decode it from base64 encoding to a string
 - Pass the string value of the un-encoded `claims` to the `TokenCredential` via the `TokenRequestContext` or equivalent for your language via the `Claims` property
 - Ensure that any local token caching is bypassed in the policy when the claims are populated from a CAE challenge
 - Authorize the original request with the new token and send it through the pipeline again
 - Return any response to the caller (don't try to handle a second challenge)

Example PRs: 
https://github.com/Azure/azure-sdk-for-go/pull/23414
https://github.com/Azure/azure-sdk-for-net/pull/46277

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

BearerTokenAuthenticationPolicy should support CAE token revocation challenges by default #6022

christothes
openedon Sep 23, 2024

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

BearerTokenAuthenticationPolicy should support CAE token revocation challenges by default #6022

Description

christothesopenedon Sep 23, 2024

Metadata