Open
Description
This feature entails adding CAE support for all clients lacking a custom challenge handler i.e., everyone except Key Vault and Storage.
Adding support involves adding logic to your BearerTokenAuthenticationPolicy such that it does the following:
- Detects when a CAE challenge is issued (401 response with a WWW-Authenticate header)
- Parses the WWW-Authenticate header (format here)
- validate that the
error
value is "insufficient_claims" - capture the
claims
value and decode it from base64 encoding to a string
- validate that the
- Pass the string value of the un-encoded
claims
to theTokenCredential
via theTokenRequestContext
or equivalent for your language via theClaims
property - Ensure that any local token caching is bypassed in the policy when the claims are populated from a CAE challenge
- Authorize the original request with the new token and send it through the pipeline again
- Return any response to the caller (don't try to handle a second challenge)
Example PRs:
Azure/azure-sdk-for-go#23414
Azure/azure-sdk-for-net#46277
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment