3.1.5.1.2.3 Processing Details

Request processing:

The client uses the Nonce abstract data model (ADM) element value (section 3.1.1) that it received from the server in a previous nonce request (section 3.1.5.1.1) to populate the request_nonce field of the request. If using user JSON Web Token (JWT) authentication, as described in section 3.2.5.1.2.1.2, the same Nonce should be populated as a request_nonce field in the JWT assertion before signing it.

Note: This feature is supported by the operating systems specified in [MSFT-CVE-2023-35348], each with its related KB article download installed.

The client signs the request JWT described in section 3.1.5.1.2.1 using the private key of the Device Certificate ADM element (section 3.1.1).

If using user JWT authentication as described in section 3.2.5.1.2.1.2, the client signs the assertion JWT using the private key of the User Authentication Key ADM element (section 3.1.1), and sets the kid field of the assertion JWT to the SHA-256 hash (see [FIPS180-2] section 6.2.2) of the public key of the User Authentication Key ADM element (section 3.1.1).

Response processing:

The client stores the refresh_token field of the response in the Primary Refresh Token ADM element (section 3.1.1).

The client decrypts the session_key_jwe field of the response by following the process described in [RFC7516] section 5.2 and by using the Session Transport Key ADM element (section 3.1.1).  The client stores the decrypted key in the Session Key ADM element.