Adding Extensibility for Custom Signed Assertion Providers

Directory.Build.props

@@ -96,7 +96,7 @@
     <MicrosoftGraphVersion>4.36.0</MicrosoftGraphVersion>
     <MicrosoftGraphBetaVersion>4.57.0-preview</MicrosoftGraphBetaVersion>
     <MicrosoftExtensionsHttpVersion>3.1.3</MicrosoftExtensionsHttpVersion>
-    <MicrosoftIdentityAbstractionsVersion>8.0.0</MicrosoftIdentityAbstractionsVersion>
+    <MicrosoftIdentityAbstractionsVersion>8.1.0</MicrosoftIdentityAbstractionsVersion>
     <!--CVE-2024-43485-->
     <SystemTextJsonVersion>8.0.5</SystemTextJsonVersion>
     <!--CVE-2023-29331-->

src/Microsoft.Identity.Web.Certificate/CertificateErrorMessage.cs

@@ -16,6 +16,9 @@ internal static class CertificateErrorMessage
         public const string BothClientSecretAndCertificateProvided = "IDW10105: Both client secret and client certificate, " +
                    "cannot be included in the configuration of the web app when calling a web API. ";
         public const string ClientCertificatesHaveExpiredOrCannotBeLoaded = "IDW10109: All client certificates passed to the configuration have expired or can't be loaded. ";
+        public const string CustomProviderNameNullOrEmpty = "IDW10111 The name of the custom signed assertion provider is null or empty.";
+        public const string CustomProviderNotFound = "IDW10112: The custom signed assertion provider with name '{0}' was not found.";
+        public const string CustomProviderSourceLoaderNullOrEmpty = "IDW10113 The dictionary of SourceLoaders for custom signed assertion providers is null or empty.";
 
         // Encoding IDW10600 = "IDW10600:"
         public const string InvalidBase64UrlString = "IDW10601: Invalid Base64URL string. ";

src/Microsoft.Identity.Web.Certificate/DefaultCredentialsLoader.CustomSignedAssertion.cs

@@ -0,0 +1,75 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using Microsoft.Identity.Abstractions;
+
+
+namespace Microsoft.Identity.Web
+{
+    public partial class DefaultCredentialsLoader
+    {
+        /// <summary>
+        /// Constructor for DefaultCredentialsLoader when using custom signed assertion provider source loaders.
+        /// </summary>
+        /// <param name="logger"></param>
+        /// <param name="customSignedAssertionProviders">Set of custom signed assertion providers.</param>
+        public DefaultCredentialsLoader(ILogger<DefaultCredentialsLoader>? logger, IEnumerable<ICustomSignedAssertionProvider> customSignedAssertionProviders) : this(logger)
+        {
+            var sourceLoaderDict = new Dictionary<string, ICredentialSourceLoader>();
+
+            foreach (var provider in customSignedAssertionProviders)
+            {
+                sourceLoaderDict.Add(provider.Name ?? provider.GetType().FullName!, provider);
+            }
+
+            CustomSignedAssertionCredentialSourceLoaders = sourceLoaderDict;
+        }
+
+        /// <summary>
+        /// Dictionary of custom signed assertion credential source loaders, by name (fully qualified type name).
+        /// </summary>
+        public IDictionary<string, ICredentialSourceLoader>? CustomSignedAssertionCredentialSourceLoaders { get; }
+
+
+        private async Task ProcessCustomSignedAssertionAsync(CredentialDescription credentialDescription, CredentialSourceLoaderParameters? parameters)
+        {
+            // No source loader(s)
+            if (CustomSignedAssertionCredentialSourceLoaders == null || !CustomSignedAssertionCredentialSourceLoaders.Any())
+            {
+                _logger.LogError(CertificateErrorMessage.CustomProviderSourceLoaderNullOrEmpty);
+            }
+
+            // No provider name
+            else if (string.IsNullOrEmpty(credentialDescription.CustomSignedAssertionProviderName))
+            {
+                _logger.LogError(CertificateErrorMessage.CustomProviderNameNullOrEmpty);
+            }
+
+            // No source loader for provider name
+            else if (!CustomSignedAssertionCredentialSourceLoaders!.TryGetValue(credentialDescription.CustomSignedAssertionProviderName!, out ICredentialSourceLoader? sourceLoader))
+            {
+                _logger.LogError(CertificateErrorMessage.CustomProviderNotFound, credentialDescription.CustomSignedAssertionProviderName);
+            }
+
+            // Load the credentials, if there is an error, it is coming from the user's custom extension and should be logged and propagated.
+            else
+            {
+                try
+                {
+                    await sourceLoader.LoadIfNeededAsync(credentialDescription, parameters);
+                }
+                catch (Exception ex)
+                {
+                    Logger.CustomSignedAssertionProviderLoadingFailure(_logger, credentialDescription, ex);
+                    throw;
+                }
+                return;
+            }
+        }
+    }
+}

src/Microsoft.Identity.Web.Certificate/DefaultCredentialsLoader.Logger.cs

@@ -25,6 +25,20 @@ private static class Logger
 
             public static void CredentialLoadingFailure(ILogger logger, CredentialDescription cd, Exception? ex)
                 => s_credentialLoadingFailure(logger, cd.Id, cd.SourceType.ToString(), cd.Skip, ex);
+
+            private static readonly Action<ILogger, string, string, bool, Exception?> s_customSignedAssertionProviderLoadingFailure =
+                LoggerMessage.Define<string, string, bool>(
+                    LogLevel.Information,
+                    new EventId(
+                        7,
+                        nameof(CustomSignedAssertionProviderLoadingFailure)),
+            "Failed to find custom signed assertion provider {name} from source {sourceType}. Will it be skipped in the future ? {skip}.");
+
+            public static void CustomSignedAssertionProviderLoadingFailure(
+                ILogger logger,
+                CredentialDescription cd,
+                Exception ex
+                ) => s_customSignedAssertionProviderLoadingFailure(logger, cd.CustomSignedAssertionProviderName ?? "NameMissing", cd.SourceType.ToString(), cd.Skip, ex);
         }
     }
 }

src/Microsoft.Identity.Web.Certificate/DefaultCredentialsLoader.cs

@@ -72,7 +72,11 @@ public async Task LoadCredentialsIfNeededAsync(CredentialDescription credentialD
                 {
                     if (credentialDescription.CachedValue == null)
                     {
-                        if (CredentialSourceLoaders.TryGetValue(credentialDescription.SourceType, out ICredentialSourceLoader? loader))
+                        if (credentialDescription.SourceType == CredentialSource.CustomSignedAssertion)
+                        {
+                            await ProcessCustomSignedAssertionAsync(credentialDescription, parameters);
+                        }
+                        else if (CredentialSourceLoaders.TryGetValue(credentialDescription.SourceType, out ICredentialSourceLoader? loader))
                         {
                             try
                             {

src/Microsoft.Identity.Web.Certificate/InternalAPI.Unshipped.txt

@@ -0,0 +1,8 @@
+const Microsoft.Identity.Web.CertificateErrorMessage.CustomProviderNameNullOrEmpty = "IDW10111 The name of the custom signed assertion provider is null or empty." -> string!
+const Microsoft.Identity.Web.CertificateErrorMessage.CustomProviderNotFound = "IDW10112: The custom signed assertion provider with name '{0}' was not found." -> string!
+const Microsoft.Identity.Web.CertificateErrorMessage.CustomProviderSourceLoaderNullOrEmpty = "IDW10113 The dictionary of SourceLoaders for custom signed assertion providers is null or empty." -> string!
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomSignedAssertionProviderNotFoundException(string! message) -> void
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNotFound(string! name) -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.SourceLoadersNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!

src/Microsoft.Identity.Web.Certificate/PublicAPI.Unshipped.txt

@@ -1 +1,3 @@
 #nullable enable
+Microsoft.Identity.Web.DefaultCredentialsLoader.CustomSignedAssertionCredentialSourceLoaders.get -> System.Collections.Generic.IDictionary<string!, Microsoft.Identity.Abstractions.ICredentialSourceLoader!>?
+Microsoft.Identity.Web.DefaultCredentialsLoader.DefaultCredentialsLoader(Microsoft.Extensions.Logging.ILogger<Microsoft.Identity.Web.DefaultCredentialsLoader!>? logger, System.Collections.Generic.IEnumerable<Microsoft.Identity.Abstractions.ICustomSignedAssertionProvider!>! customSignedAssertionProviders) -> void

src/Microsoft.Identity.Web/PublicAPI/net6.0/InternalAPI.Unshipped.txt

@@ -0,0 +1,5 @@
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomSignedAssertionProviderNotFoundException(string! message) -> void
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNotFound(string! name) -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomProviderSourceLoaderNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!

src/Microsoft.Identity.Web/PublicAPI/net7.0/InternalAPI.Unshipped.txt

@@ -0,0 +1,5 @@
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomSignedAssertionProviderNotFoundException(string! message) -> void
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNotFound(string! name) -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomProviderSourceLoaderNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!

src/Microsoft.Identity.Web/PublicAPI/net8.0/InternalAPI.Unshipped.txt

@@ -0,0 +1,5 @@
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomSignedAssertionProviderNotFoundException(string! message) -> void
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNotFound(string! name) -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomProviderSourceLoaderNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!

src/Microsoft.Identity.Web/PublicAPI/net9.0/InternalAPI.Unshipped.txt

@@ -0,0 +1,5 @@
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException
+Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomSignedAssertionProviderNotFoundException(string! message) -> void
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.ProviderNameNotFound(string! name) -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!
+static Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException.CustomProviderSourceLoaderNullOrEmpty() -> Microsoft.Identity.Web.CustomSignedAssertionProviderNotFoundException!

tests/Directory.Build.props

@@ -34,6 +34,7 @@
     <MicrosoftApplicationInsightsEventCounterCollectionVersion>2.22.0</MicrosoftApplicationInsightsEventCounterCollectionVersion>
     <MicrosoftExtensionsCachingStackExchangeRedisVersion>6.0.12</MicrosoftExtensionsCachingStackExchangeRedisVersion>
     <MicrosoftPlaywrightVersion>1.48.0</MicrosoftPlaywrightVersion>
+    <MoqVersion>4.20.72</MoqVersion>
     <StackExchangeRedisVersion>2.2.4</StackExchangeRedisVersion>
     <!--CVE-2021-24112-->
     <SystemDrawingCommonVersion>5.0.3</SystemDrawingCommonVersion>

tests/Microsoft.Identity.Web.Test/CustomSignedAssertionProviderTests.cs

@@ -0,0 +1,178 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.Threading.Tasks;
+using Moq;
+using Microsoft.Extensions.Logging;
+using Microsoft.Identity.Abstractions;
+using Xunit;
+
+namespace Microsoft.Identity.Web.Test
+{
+    public class CustomSignedAssertionProviderTests
+    {
+        [Theory]
+        [MemberData(nameof(CustomSignedAssertionTestData))]
+        public async Task ProcessCustomSignedAssertionAsync_Tests(
+            List<ICustomSignedAssertionProvider> providerList,
+            CredentialDescription credentialDescription,
+            string? expectedMessage = null)
+        {
+            // Arrange
+            var loggedMessages = new List<string>();
+            var loggerMock = new Mock<ILogger<DefaultCredentialsLoader>>();
+            loggerMock.Setup(x => x.IsEnabled(It.IsAny<LogLevel>())).Returns(true);
+
+            var loader = new DefaultCredentialsLoader(loggerMock.Object, providerList);
+
+            // Act
+            try
+            {
+                await loader.LoadCredentialsIfNeededAsync(credentialDescription, null);
+
+            }
+            catch (Exception ex)
+            {
+                Assert.Equal(expectedMessage, ex.Message);
+
+                // Haven't figured out yet how to get the mock logger to see the log coming from DefaultCredentialsLoader.Logger where it is logged using LogMessage.Define()
+                /*                loggerMock.Verify(
+                                    x =>
+                                    x.Log(
+                                        LogLevel.Information,
+                                        It.IsAny<EventId>(),
+                                        It.Is<It.IsAnyType>((v, t) => v.ToString()!.Contains(expectedMessage!)),
+                                        It.IsAny<Exception?>(),
+                                        It.IsAny<Func<It.IsAnyType, Exception?, string>>()),
+                                    Times.Once);*/
+                return;
+            }
+
+            // Assert
+            if (expectedMessage != null)
+            {
+                loggerMock.Verify(
+                    x => x.Log(
+                        LogLevel.Error,
+                        It.IsAny<EventId>(),
+                        It.Is<It.IsAnyType>((v, t) => v.ToString()!.Contains(expectedMessage)),
+                        It.IsAny<Exception?>(),
+                        It.IsAny<Func<It.IsAnyType, Exception?, string>>()),
+                    Times.Once);
+            }
+            else
+            {
+                loggerMock.Verify(
+                    x => x.Log(
+                        It.IsAny<LogLevel>(),
+                        It.IsAny<EventId>(),
+                        It.IsAny<It.IsAnyType>(),
+                        It.IsAny<Exception>(),
+                        It.IsAny<Func<It.IsAnyType, Exception?, string>>()),
+                    Times.Never);
+            }
+        }
+
+        public static IEnumerable<object[]> CustomSignedAssertionTestData()
+        {
+            // No source loaders
+            yield return new object[]
+            {
+                    new List<ICustomSignedAssertionProvider>(),
+                    new CredentialDescription
+                    {
+                        CustomSignedAssertionProviderName = "Provider1",
+                        SourceType = CredentialSource.CustomSignedAssertion,
+                        Skip = false
+                    },
+                    CertificateErrorMessage.CustomProviderSourceLoaderNullOrEmpty
+            };
+
+            // No provider name given
+            yield return new object[]
+            {
+                    new List<ICustomSignedAssertionProvider> { new SuccessfulCustomSignedAssertionProvider("Provider2") },
+                    new CredentialDescription
+                    {
+                        CustomSignedAssertionProviderName = null,
+                        SourceType = CredentialSource.CustomSignedAssertion
+                    },
+                    CertificateErrorMessage.CustomProviderNameNullOrEmpty
+            };
+
+            // Given provider name not found
+            yield return new object[]
+            {
+                    new List<ICustomSignedAssertionProvider> { new SuccessfulCustomSignedAssertionProvider("NotProvider3") },
+                    new CredentialDescription
+                    {
+                        CustomSignedAssertionProviderName = "Provider3",
+                        SourceType = CredentialSource.CustomSignedAssertion
+                    },
+                    string.Format(CultureInfo.InvariantCulture, CertificateErrorMessage.CustomProviderNotFound, "Provider3")
+            };
+
+            // Happy path (no logging expected)
+            yield return new object[]
+            {
+                    new List<ICustomSignedAssertionProvider> { new SuccessfulCustomSignedAssertionProvider("Provider4") },
+                    new CredentialDescription
+                    {
+                        CustomSignedAssertionProviderName = "Provider4",
+                        SourceType = CredentialSource.CustomSignedAssertion
+                    }
+            };
+
+            // CustomSignedAssertionProvider (i.e. the user's extension) throws an exception
+            yield return new object[]
+            {
+                new List<ICustomSignedAssertionProvider> { new FailingCustomSignedAssertionProvider("Provider5") },
+                new CredentialDescription
+                {
+                    CustomSignedAssertionProviderName = "Provider5",
+                    SourceType = CredentialSource.CustomSignedAssertion
+                },
+                FailingCustomSignedAssertionProvider.ExceptionMessage
+            };
+        }
+    }
+
+    // Helper class
+    internal class SuccessfulCustomSignedAssertionProvider : ICustomSignedAssertionProvider
+    {
+        public string Name { get; }
+
+        public CredentialSource CredentialSource => CredentialSource.CustomSignedAssertion;
+
+        public SuccessfulCustomSignedAssertionProvider(string name)
+        {
+            Name = name;
+        }
+
+        public Task LoadIfNeededAsync(CredentialDescription credentialDescription, CredentialSourceLoaderParameters? parameters)
+        {
+            return Task.CompletedTask;
+        }
+    }
+
+    internal class FailingCustomSignedAssertionProvider : ICustomSignedAssertionProvider
+    {
+        public string Name { get; }
+        public const string ExceptionMessage = "This extension is broken :(";
+
+        public CredentialSource CredentialSource => CredentialSource.CustomSignedAssertion;
+
+        public FailingCustomSignedAssertionProvider(string name)
+        {
+            Name = name;
+        }
+
+        public Task LoadIfNeededAsync(CredentialDescription credentialDescription, CredentialSourceLoaderParameters? parameters)
+        {
+            throw new Exception("This extension is broken :(");
+        }
+    }
+}

tests/Microsoft.Identity.Web.Test/Microsoft.Identity.Web.Test.csproj

@@ -26,6 +26,7 @@
     <PackageReference Include="System.Text.Json" Version="$(SystemTextJsonVersion)" />
     <PackageReference Include="Microsoft.Identity.Abstractions" Version="$(MicrosoftIdentityAbstractionsVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
+    <PackageReference Include="Moq" Version="$(MoqVersion)" />
     <PackageReference Include="Newtonsoft.Json" Version="$(NewtonsoftJsonVersion)" />
     <PackageReference Include="NSubstitute" Version="$(NSubstituteVersion)" />
     <PackageReference Include="NSubstitute.Analyzers.CSharp" Version="$(NSubstituteAnalyzersCSharpVersion)" />