From 6ef91da7f2121ff87cdecfde149310ff524e8d34 Mon Sep 17 00:00:00 2001 From: Jean-Marc Prieur Date: Tue, 2 May 2023 19:49:48 -0700 Subject: [PATCH] Process composite OBO tokens (#2221) * Investigation (to understand requirements) * Updating comments * Remove assertion and sub_assertion from extra query parameters. --- .../TokenAcquisition.cs | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs b/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs index c812b6482..c83308ea5 100644 --- a/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs +++ b/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs @@ -715,9 +715,28 @@ private IConfidentialClientApplication BuildConfidentialClientApplication(Merged if (tokenAcquisitionOptions != null) { var dict = MergeExtraQueryParameters(mergedOptions, tokenAcquisitionOptions); - if (dict != null) { + const string assertionConstant = "assertion"; + const string subAssertionConstant = "sub_assertion"; + + // Special case when the OBO inbound token is composite (for instance PFT) + if (dict.ContainsKey(assertionConstant) && dict.ContainsKey(subAssertionConstant)) + { + builder.OnBeforeTokenRequest((data) => + { + // Replace the assertion and adds sub_assertion with the values from the extra query parameters + data.BodyParameters[assertionConstant] = dict[assertionConstant]; + data.BodyParameters.Add(subAssertionConstant, dict[subAssertionConstant]); + return Task.CompletedTask; + }); + + // Remove the assertion and sub_assertion from the extra query parameters + // as they are already handled as body parameters. + dict.Remove(assertionConstant); + dict.Remove(subAssertionConstant); + } + builder.WithExtraQueryParameters(dict); } if (tokenAcquisitionOptions.ExtraHeadersParameters != null)