Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] AAD client assertions should be computed using SHA 256 and an approved padding scheme #471

Open
bgavrilMS opened this issue Dec 14, 2023 · 0 comments
Open

[Feature Request] AAD client assertions should be computed using SHA 256 and an approved padding scheme #471

bgavrilMS opened this issue Dec 14, 2023 · 0 comments
Labels
confidential-client enhancement New feature or request P1

Comments

@bgavrilMS
Copy link
Member

MSAL client type

Confidential

Problem Statement

When MSAL creates the client assertion, it uses PKCS1 padding for digital signature and SHA1 as x5t claim. These are old crypto algorithms and we need to move to newer versions. The STS is building support.

See ESTS work items :

https://identitydivision.visualstudio.com/Engineering/_workitems/edit/2655345
https://identitydivision.visualstudio.com/Engineering/_workitems/edit/2704466

Proposed solution

Use x5t#s256 and PSS padding when talking to ESTS, CIAM, B2C(?) but not with ADFS.

Original issue

AzureAD/microsoft-authentication-library-for-dotnet#4428
@bgavrilMS bgavrilMS added enhancement New feature or request confidential-client labels Dec 14, 2023
@bgavrilMS bgavrilMS added the P1 label Jun 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
confidential-client enhancement New feature or request P1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bgavrilMS