From 44ec662bb381de861ef1c6219f43eaa50d9e263a Mon Sep 17 00:00:00 2001 From: Daniel Rodriguez Date: Fri, 18 Jun 2021 22:37:26 +0000 Subject: [PATCH 1/2] [Identity] [InteractiveBrowserCredential] [Node] Enable PKCE --- sdk/identity/identity/CHANGELOG.md | 1 + .../credentials/interactiveBrowserCredential.ts | 3 +++ .../src/msal/nodeFlows/msalOpenBrowser.ts | 17 +++++++++++++++-- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/sdk/identity/identity/CHANGELOG.md b/sdk/identity/identity/CHANGELOG.md index 07f68c7425d0..bbf63a165ced 100644 --- a/sdk/identity/identity/CHANGELOG.md +++ b/sdk/identity/identity/CHANGELOG.md @@ -21,6 +21,7 @@ - `AuthenticationRequiredError` (introduced in 2.0.0-beta.1) now has the same impact on `ChainedTokenCredential` as the `CredentialUnavailableError` which is to allow the next credential in the chain to be tried. - `ManagedIdentityCredential` now retries with exponential back-off when a request for a token fails with a 404 status code on environments with available IMDS endpoints. - Added an `AzurePowerShellCredential` which will use the authenticated user session from the `Az.Account` PowerShell module. This credential will attempt to use PowerShell Core by calling `pwsh`, and on Windows it will fall back to Windows PowerShell (`powershell`) if PowerShell Core is not available. +- Enabled PKCE on `InteractiveBrowserCredential` for Node.js. [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) is a security feature that mitigates authentication code interception attacks. ### Breaking changes from 2.0.0-beta.1 diff --git a/sdk/identity/identity/src/credentials/interactiveBrowserCredential.ts b/sdk/identity/identity/src/credentials/interactiveBrowserCredential.ts index f7b6ec4f7008..4c0da70380df 100644 --- a/sdk/identity/identity/src/credentials/interactiveBrowserCredential.ts +++ b/sdk/identity/identity/src/credentials/interactiveBrowserCredential.ts @@ -85,6 +85,9 @@ export class InteractiveBrowserCredential implements TokenCredential { * * If the token can't be retrieved silently, this method will require user interaction to retrieve the token. * + * On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default. + * PKCE is a security feature that mitigates authentication code interception attacks. + * * @param scopes - The list of scopes for which the token will have access. * @param options - The options used to configure any requests this * TokenCredential implementation might make. diff --git a/sdk/identity/identity/src/msal/nodeFlows/msalOpenBrowser.ts b/sdk/identity/identity/src/msal/nodeFlows/msalOpenBrowser.ts index 674bcbec57d9..cf4bf10faf25 100644 --- a/sdk/identity/identity/src/msal/nodeFlows/msalOpenBrowser.ts +++ b/sdk/identity/identity/src/msal/nodeFlows/msalOpenBrowser.ts @@ -84,7 +84,8 @@ export class MsalOpenBrowser extends MsalNode { const tokenRequest: msalNode.AuthorizationCodeRequest = { code: url.searchParams.get("code")!, redirectUri: this.redirectUri, - scopes: scopes + scopes: scopes, + codeVerifier: this.pkceCodes?.verifier }; this.acquireTokenByCode(tokenRequest) @@ -182,10 +183,22 @@ export class MsalOpenBrowser extends MsalNode { }); } + private pkceCodes?: { + verifier: string; + challenge: string; + }; + private async openAuthCodeUrl(scopeArray: string[]): Promise { + // Initialize CryptoProvider instance + const cryptoProvider = new msalNode.CryptoProvider(); + // Generate PKCE Codes before starting the authorization flow + this.pkceCodes = await cryptoProvider.generatePkceCodes(); + const authCodeUrlParameters: msalNode.AuthorizationUrlRequest = { scopes: scopeArray, - redirectUri: this.redirectUri + redirectUri: this.redirectUri, + codeChallenge: this.pkceCodes.challenge, + codeChallengeMethod: "S256" // Use SHA256 Algorithm }; const response = await this.publicApp!.getAuthCodeUrl(authCodeUrlParameters); From 0d94a4b878ad204d4e64d8d7340c05311291bd20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Rodr=C3=ADguez?= Date: Tue, 29 Jun 2021 12:47:51 -0400 Subject: [PATCH 2/2] Update CHANGELOG.md --- sdk/identity/identity/CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk/identity/identity/CHANGELOG.md b/sdk/identity/identity/CHANGELOG.md index cbefff9e3664..816d44824eb1 100644 --- a/sdk/identity/identity/CHANGELOG.md +++ b/sdk/identity/identity/CHANGELOG.md @@ -9,6 +9,8 @@ - `@azure/identity-cache-persistence`, which provides persistent token caching (same as was available in version 2.0.0-beta.2, but now provided through a secondary extension package). - Reintroduced a stub implementation of `VisualStudioCodeCredential`. If the `@azure/identity-vscode` extension is not used, then it will throw a `CredentialUnavailableError` (similar to how it previously behaved if the `keytar` package was not installed). The extension now provides the underlying implementation of `VisualStudioCodeCredential` through dependency injection. - Reintroduced the `TokenCachePersistenceOptions` property on most credential constructor options. This property must be present with an `enabled` property set to true to enable persistent token caching for a credential instance. Credentials that do not support persistent token caching do not have this property. +- Added support to `ManagedIdentityCredential` for Bridge to Kubernetes local development authentication. +- Enabled PKCE on `InteractiveBrowserCredential` for Node.js. [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) is a security feature that mitigates authentication code interception attacks. - Added regional STS support to client credential types. - Added the `RegionalAuthority` type, that allows specifying Azure regions. - Added `regionalAuthority` property to `ClientSecretCredentialOptions` and `ClientCertificateCredentialOptions`. @@ -34,8 +36,6 @@ - `AuthenticationRequiredError` (introduced in 2.0.0-beta.1) now has the same impact on `ChainedTokenCredential` as the `CredentialUnavailableError` which is to allow the next credential in the chain to be tried. - `ManagedIdentityCredential` now retries with exponential back-off when a request for a token fails with a 404 status code on environments with available IMDS endpoints. - Added an `AzurePowerShellCredential` which will use the authenticated user session from the `Az.Account` PowerShell module. This credential will attempt to use PowerShell Core by calling `pwsh`, and on Windows it will fall back to Windows PowerShell (`powershell`) if PowerShell Core is not available. -- Enabled PKCE on `InteractiveBrowserCredential` for Node.js. [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) is a security feature that mitigates authentication code interception attacks. -- Added support to `ManagedIdentityCredential` for Bridge to Kubernetes local development authentication. ### Breaking changes from 2.0.0-beta.1