[Identity] Add Pop token support (#30961)

Fixes #23329

- Added SHR PoP token support to @azure/core-auth 
- Added SHR PoP token support to `InteractiveBrowserCredential` Native
Broker Scenarios via @azure/identity and @azure/identity-broker

Author: KarishmaGhiya

sdk/core/core-auth/CHANGELOG.md

@@ -1,14 +1,10 @@
 # Release History
 
-## 1.8.1 (Unreleased)
+## 1.9.0 (2024-10-15)
 
 ### Features Added
 
-### Breaking Changes
-
-### Bugs Fixed
-
-### Other Changes
+- Added Proof-of-Possession via Signed HTTP Request (SHR) support to `AccessToken` and `GetTokenOptions` for `TokenCredential`. #30961
 
 ## 1.8.0 (2024-09-12)
 

sdk/core/core-auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@azure/core-auth",
-  "version": "1.8.1",
+  "version": "1.9.0",
   "description": "Provides low-level interfaces and helper methods for authentication in Azure SDK",
   "sdk-type": "client",
   "type": "module",
@@ -75,7 +75,7 @@
   },
   "dependencies": {
     "@azure/abort-controller": "^2.0.0",
-    "@azure/core-util": "^1.1.0",
+    "@azure/core-util": "^1.11.0",
     "tslib": "^2.6.2"
   },
   "devDependencies": {

sdk/core/core-auth/review/core-auth.api.md

@@ -5,12 +5,14 @@
 ```ts
 
 import { AbortSignalLike } from '@azure/abort-controller';
+import { HttpMethods } from '@azure/core-util';
 
 // @public
 export interface AccessToken {
     expiresOnTimestamp: number;
     refreshAfterTimestamp?: number;
     token: string;
+    tokenType?: "Bearer" | "pop";
 }
 
 // @public
@@ -40,6 +42,11 @@ export interface GetTokenOptions {
     abortSignal?: AbortSignalLike;
     claims?: string;
     enableCae?: boolean;
+    proofOfPossessionOptions?: {
+        nonce: string;
+        resourceRequestMethod: HttpMethods;
+        resourceRequestUrl: string;
+    };
     requestOptions?: {
         timeout?: number;
     };
@@ -49,6 +56,8 @@ export interface GetTokenOptions {
     };
 }
 
+export { HttpMethods }
+
 // @public
 export function isKeyCredential(credential: unknown): credential is KeyCredential;
 

sdk/core/core-auth/src/index.ts

@@ -1,6 +1,6 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
-
+export { HttpMethods } from "@azure/core-util";
 export { AzureKeyCredential } from "./azureKeyCredential.js";
 export { KeyCredential, isKeyCredential } from "./keyCredential.js";
 export {

sdk/core/core-auth/src/tokenCredential.ts

@@ -3,6 +3,7 @@
 
 import { AbortSignalLike } from "@azure/abort-controller";
 import { TracingContext } from "./tracing.js";
+import { HttpMethods } from "@azure/core-util";
 
 /**
  * Represents a credential capable of providing an authentication token.
@@ -59,6 +60,28 @@ export interface GetTokenOptions {
    * Allows specifying a tenantId. Useful to handle challenges that provide tenant Id hints.
    */
   tenantId?: string;
+
+  /**
+   * Options for Proof of Possession token requests
+   */
+  proofOfPossessionOptions?: {
+    /**
+     * The nonce value required for PoP token requests.
+     * This is typically retrieved from the WWW-Authenticate header of a 401 challenge response.
+     * This is used in combination with {@link resourceRequestUrl} and {@link resourceRequestMethod} to generate the PoP token.
+     */
+    nonce: string;
+    /**
+     * The HTTP method of the request.
+     * This is used in combination with {@link resourceRequestUrl} and {@link nonce} to generate the PoP token.
+     */
+    resourceRequestMethod: HttpMethods;
+    /**
+     * The URL of the request.
+     * This is used in combination with {@link resourceRequestMethod} and {@link nonce} to generate the PoP token.
+     */
+    resourceRequestUrl: string;
+  };
 }
 
 /**
@@ -79,6 +102,27 @@ export interface AccessToken {
    * The timestamp when the access token should be refreshed, in milliseconds, UNIX epoch time.
    */
   refreshAfterTimestamp?: number;
+
+  /** Type of token - `Bearer` or `pop` */
+  tokenType?: "Bearer" | "pop";
+}
+
+/**
+ * @internal
+ * @param accessToken - Access token
+ * @returns Whether a token is bearer type or not
+ */
+export function isBearerToken(accessToken: AccessToken): boolean {
+  return !accessToken.tokenType || accessToken.tokenType === "Bearer";
+}
+
+/**
+ * @internal
+ * @param accessToken - Access token
+ * @returns Whether a token is Pop token or not
+ */
+export function isPopToken(accessToken: AccessToken): boolean {
+  return accessToken.tokenType === "pop";
 }
 
 /**

sdk/core/core-client/src/authorizeRequestOnClaimChallenge.ts

@@ -94,6 +94,9 @@ export async function authorizeRequestOnClaimChallenge(
     return false;
   }
 
-  onChallengeOptions.request.headers.set("Authorization", `Bearer ${accessToken.token}`);
+  onChallengeOptions.request.headers.set(
+    "Authorization",
+    `${accessToken.tokenType ?? "Bearer"} ${accessToken.token}`,
+  );
   return true;
 }

sdk/core/core-client/src/authorizeRequestOnTenantChallenge.ts

@@ -59,7 +59,7 @@ export const authorizeRequestOnTenantChallenge: (
 
     challengeOptions.request.headers.set(
       Constants.HeaderConstants.AUTHORIZATION,
-      `Bearer ${accessToken.token}`,
+      `${accessToken.tokenType ?? "Bearer"} ${accessToken.token}`,
     );
     return true;
   }

sdk/core/core-rest-pipeline/package.json

@@ -94,7 +94,7 @@
     "@azure/abort-controller": "^2.0.0",
     "@azure/core-auth": "^1.8.0",
     "@azure/core-tracing": "^1.0.1",
-    "@azure/core-util": "^1.10.0",
+    "@azure/core-util": "^1.11.0",
     "@azure/logger": "^1.0.0",
     "http-proxy-agent": "^7.0.0",
     "https-proxy-agent": "^7.0.0",

sdk/core/core-rest-pipeline/review/core-rest-pipeline.api.md

@@ -9,6 +9,7 @@ import type { AccessToken } from '@azure/core-auth';
 import { AzureLogger } from '@azure/logger';
 import type { Debugger } from '@azure/logger';
 import type { GetTokenOptions } from '@azure/core-auth';
+import { HttpMethods } from '@azure/core-util';
 import type { OperationTracingOptions } from '@azure/core-tracing';
 import type { TokenCredential } from '@azure/core-auth';
 
@@ -177,8 +178,7 @@ export interface HttpHeaders extends Iterable<[string, string]> {
     }): RawHttpHeaders;
 }
 
-// @public
-export type HttpMethods = "GET" | "PUT" | "POST" | "DELETE" | "PATCH" | "HEAD" | "OPTIONS" | "TRACE";
+export { HttpMethods }
 
 // @public
 export interface InternalPipelineOptions extends PipelineOptions {

sdk/core/core-rest-pipeline/src/index.ts

@@ -9,16 +9,16 @@ declare global {
   interface ReadableStream<R = any> {}
   interface TransformStream<I = any, O = any> {}
 }
-/* eslint-enable @typescript-eslint/no-unused-vars */
 
+/* eslint-enable @typescript-eslint/no-unused-vars */
+export type { HttpMethods } from "@azure/core-util";
 export type {
   Agent,
   BodyPart,
   FormDataMap,
   FormDataValue,
   HttpClient,
   HttpHeaders,
-  HttpMethods,
   KeyObject,
   MultipartRequestBody,
   PipelineRequest,

sdk/core/core-rest-pipeline/src/interfaces.ts

@@ -3,6 +3,7 @@
 
 import type { AbortSignalLike } from "@azure/abort-controller";
 import type { OperationTracingOptions } from "@azure/core-tracing";
+import type { HttpMethods } from "@azure/core-util";
 
 /**
  * A HttpHeaders collection represented as a simple JSON object.
@@ -314,19 +315,6 @@ export type TransferProgressEvent = {
   loadedBytes: number;
 };
 
-/**
- * Supported HTTP methods to use when making requests.
- */
-export type HttpMethods =
-  | "GET"
-  | "PUT"
-  | "POST"
-  | "DELETE"
-  | "PATCH"
-  | "HEAD"
-  | "OPTIONS"
-  | "TRACE";
-
 /**
  * Options to configure a proxy for outgoing requests (Node.js only).
  */

sdk/core/core-rest-pipeline/src/pipelineRequest.ts

@@ -4,7 +4,6 @@
 import type {
   FormDataMap,
   HttpHeaders,
-  HttpMethods,
   MultipartRequestBody,
   PipelineRequest,
   ProxySettings,
@@ -15,6 +14,7 @@ import { createHttpHeaders } from "./httpHeaders.js";
 import type { AbortSignalLike } from "@azure/abort-controller";
 import { randomUUID } from "@azure/core-util";
 import type { OperationTracingOptions } from "@azure/core-tracing";
+import type { HttpMethods } from "@azure/core-util";
 
 /**
  * Settings to initialize a request.

sdk/core/core-util/CHANGELOG.md

@@ -1,14 +1,10 @@
 # Release History
 
-## 1.10.1 (Unreleased)
+## 1.11.0 (2024-10-15)
 
 ### Features Added
 
-### Breaking Changes
-
-### Bugs Fixed
-
-### Other Changes
+- Added support for `HttpMethods` type
 
 ## 1.10.0 (2024-09-12)
 

sdk/core/core-util/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@azure/core-util",
-  "version": "1.10.1",
+  "version": "1.11.0",
   "description": "Core library for shared utility methods",
   "sdk-type": "client",
   "type": "module",

sdk/core/core-util/review/core-util.api.md

@@ -60,6 +60,9 @@ export function getErrorMessage(e: unknown): string;
 // @public
 export function getRandomIntegerInclusive(min: number, max: number): number;
 
+// @public
+export type HttpMethods = "GET" | "PUT" | "POST" | "DELETE" | "PATCH" | "HEAD" | "OPTIONS" | "TRACE";
+
 // @public
 export const isBrowser: boolean;
 

sdk/core/core-util/src/httpMethods.ts

@@ -0,0 +1,16 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+/**
+ * @public
+ * Supported HTTP methods to use when making requests.
+ */
+export type HttpMethods =
+  | "GET"
+  | "PUT"
+  | "POST"
+  | "DELETE"
+  | "PATCH"
+  | "HEAD"
+  | "OPTIONS"
+  | "TRACE";

sdk/core/core-util/src/index.ts

@@ -17,6 +17,7 @@ export { isError, getErrorMessage } from "./error.js";
 export { computeSha256Hash, computeSha256Hmac } from "./sha256.js";
 export { isDefined, isObjectWithProperties, objectHasProperty } from "./typeGuards.js";
 export { randomUUID } from "./uuidUtils.js";
+export { HttpMethods } from "./httpMethods.js";
 export {
   isBrowser,
   isBun,

sdk/identity/identity-broker/CHANGELOG.md

@@ -1,14 +1,10 @@
 # Release History
 
-## 1.0.2 (Unreleased)
+## 1.1.0 (2024-10-15)
 
 ### Features Added
 
-### Breaking Changes
-
-### Bugs Fixed
-
-### Other Changes
+- Added Proof-of-Possession via Signed HTTP Request (SHR) support to `AccessToken` and `GetTokenOptions` for `InteractiveBrowserCredential` native broker scenarios. #30961
 
 ## 1.0.1 (2024-06-10)
 

sdk/identity/identity-broker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@azure/identity-broker",
-  "version": "1.0.2",
+  "version": "1.1.0",
   "sdk-type": "client",
   "description": "A native plugin for Azure Identity credentials to enable broker authentication such as WAM",
   "main": "dist/index.js",
@@ -28,7 +28,8 @@
     "unit-test": "npm run unit-test:node && npm run unit-test:browser",
     "unit-test:browser": "echo skipped",
     "unit-test:node": "dev-tool run test:node-ts-input -- --timeout 300000 --exclude 'test/**/browser/**/*.spec.ts' --exclude 'test/snippets.spec.ts' 'test/**/**/*.spec.ts'",
-    "update-snippets": "dev-tool run update-snippets"
+    "update-snippets": "dev-tool run update-snippets",
+    "unit-test:manual": "dev-tool run test:node-ts-input -- --timeout 300000 'test/manual/node/popTokenSupport.spec.ts'"
   },
   "files": [
     "dist/",
@@ -58,17 +59,18 @@
   "homepage": "https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity-broker/README.md",
   "sideEffects": false,
   "dependencies": {
-    "@azure/core-auth": "^1.4.0",
-    "@azure/identity": "^4.0.1",
-    "@azure/msal-node": "^2.9.2",
-    "@azure/msal-node-extensions": "^1.0.7",
+    "@azure/core-auth": "^1.9.0",
+    "@azure/identity": "^4.5.0",
+    "@azure/msal-node-extensions": "^1.3.0",
+    "@azure/msal-node": "^2.15.0",
     "tslib": "^2.2.0"
   },
   "devDependencies": {
     "@azure-tools/test-recorder": "^3.0.0",
     "@azure-tools/test-utils": "^1.0.1",
     "@azure/abort-controller": "^1.1.0",
     "@azure/core-client": "^1.7.0",
+    "@azure/core-rest-pipeline": "^1.17.0",
     "@azure/core-util": "^1.6.0",
     "@azure/dev-tool": "^1.0.0",
     "@azure/eslint-plugin-azure-sdk": "^3.0.0",