Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conditional Access Evaluation is not enabled by default and it cannot it be enabled #321

Closed
bgavrilMS opened this issue Aug 8, 2024 · 1 comment · Fixed by #322
Closed

Conditional Access Evaluation is not enabled by default and it cannot it be enabled #321

bgavrilMS opened this issue Aug 8, 2024 · 1 comment · Fixed by #322
Assignees
@baywet
Labels
enhancement New feature or request type:security Security, or privacy issue WIP

Comments

@bgavrilMS
Copy link
Member

bgavrilMS commented Aug 8, 2024
edited
Loading

Continuous Access Evaluation (CAE) has 2 parts:

  1. Declare the client capable of receiving 401 + WWWAuthenticate requests
  2. In case a 401 occurs, extract the claims from the WWWAuthenticate header and re-acquire a token with claims

It seems that part 2 is implemented (see here ) but part1 is not. Clients need to declare themselves CAE capable. In Azure SDK this is done via a boolean property IsCaeEnabled

Recommendation is to enable this by default or to allow the app developer to opt in. Since part 2 is implemented, I recommend enabling it by default.

The impact of enabling this is that the access tokens will automatically become longer lived, around 24h. Id tokens are not affected (also I don't see id tokens used by this sdk).
@github-project-automation github-project-automation bot moved this to Needs Triage 🔍 in Kiota Aug 8, 2024
@baywet baywet self-assigned this Aug 8, 2024
@baywet baywet added enhancement New feature or request type:security Security, or privacy issue labels Aug 8, 2024
@baywet baywet moved this from Needs Triage 🔍 to In Review 💭 in Kiota Aug 8, 2024
@baywet baywet mentioned this issue Aug 8, 2024
Merged
@baywet
Copy link
Member

baywet commented Aug 8, 2024

Hi @bgavrilMS
Thank you for using kiota and for reaching out.
I have authored #322 to address this issue.
The history here is that CAE used to be enabled by default in Azure Identity as far as I can remember, and this was changed recently

This was referenced Aug 8, 2024
Merged
Merged
Merged
Closed
@github-project-automation github-project-automation bot moved this from In Review 💭 to Done ✔️ in Kiota Aug 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@baywet baywet

Labels
enhancement New feature or request type:security Security, or privacy issue WIP
Projects
Kiota
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feature/caeEnabled microsoft/kiota-dotnet
2 participants
@baywet @bgavrilMS