Microsoft-authentication-library-for-dotnet: [Bug] WithProofOfPosession produces a token of type POP, whereas the Wilson 6.0 expects PoP

Created on 16 Mar 2020  路  4Comments  路  Source: AzureAD/microsoft-authentication-library-for-dotnet

Which Version of MSAL are you using ?
4.9

Platform
net45

What authentication flow has the issue?

  • Desktop / Mobile

    • [x ] Interactive

    • [ ] Integrated Windows Auth

    • [ ] Username Password

    • [ ] Device code flow (browserless)

  • Web App

    • [ ] Authorization code

    • [ ] OBO

  • Web API

    • [ ] OBO

Expected behavior
Send PoP

Actual behavior
Sends POP

Fixed P2 bug
Source
picture jmprieur
👍1

Most helpful comment

Actually Wilson does a case insensitive match, so this works (my bad @bgavrilMS )
but in the Middleware grooming meeting we've advised that MSAL.NET sends "PoP". Not super urgent.

picture jmprieur on 17 Mar 2020
👍2

All 4 comments

Hmm, the validating service that we use for integration testing does not seem to complain about this. I guess Wilson tightened the rules. @GeoK - are there plans to update the validation service to use Wilson 6? Or I could contribute to the project if pubic?

bgavrilMS picture bgavrilMS on 17 Mar 2020

Actually Wilson does a case insensitive match, so this works (my bad @bgavrilMS )
but in the Middleware grooming meeting we've advised that MSAL.NET sends "PoP". Not super urgent.

jmprieur picture jmprieur on 17 Mar 2020
👍2

@bgavrilMS Both Wilson and SAL and lax on the validation side. Extra spaces and different casing are forgiven. The spec defines "PoP" as the authentication scheme.

GeoK picture GeoK on 17 Mar 2020
👍1

Resolved in 4.11.0

trwalke picture trwalke on 4 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dansiegel picture dansiegel  路  5Comments
chrisevans9629 picture chrisevans9629  路  5Comments
peombwa picture peombwa  路  6Comments
trwalke picture trwalke  路  4Comments
steffos picture steffos  路  4Comments