Enable SN+I (Subject name/Issuer) authorization through certificates
priyanka19-98 opened this issue · 3 comments
To enable (SN+I) based approach, we need to set: "SendX5c" : "true" , if we want to generate the token through certificate. But looks like currently there is no way to do that, or am I missing something?
Basically I am looking for something: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientCertificateCredentialOptions
Looks like we implicitly set the x5c header when signing the JWT.
https://github.com/Azure/go-autorest/blob/main/autorest/adal/token.go#L262
This isn't my area of expertise though. @chlowell is there anything additional that needs to happen?
In some cases, yes. I believe the current implementation will work when there are no intermediate certs between the signing cert and the trusted cert, which I imagine is the most common case. However, the client must include intermediate certs in the x5c header, so I expect the current implementation to fail when they exist. So to fully support SNI auth, adal would need to handle cert chains (this is why azidentity.NewClientCertificateCredential takes a slice of certs). Also, it isn't a functional problem, but unconditionally sending the x5c header pointlessly bloats requests because the header is used only in SNI auth, which to my knowledge is a first party only feature; it should be opt-in, though I suppose making it so would be a breaking change now.
For full SNI support please use azidentity. This module is in maintenance mode so we aren't adding any new features.