Share via

[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients

  • Article

This topic lists Errata found in [MS-OAPXBC] since it was last published. Since this topic is updated frequently, we recommend that you subscribe to this RSS feed to receive update notifications.

Errata are subject to the same terms as the Open Specifications documentation referenced.

RSS

To view a PDF file of the errata for the previous versions of this document, see the following ERRATA Archives:

July 18, 2016 - Download

September 26, 2016 - Download

June 1, 2017 - Download

September 15, 2017 - Download

September 12, 2018 - Download

October 6, 2021 - Download

Errata Published*

Description

2023/08/11

See the diff doc for details of the changes.

Section 3.2.5.2.1.1.2 x-ms-DeviceCredential HTTP header format

Added JWT field values x_client_platform, win_ver, and windows_api_version to inform the AAD/server.

 

Changed from:

The x-ms-RefreshTokenCredential HTTP header is a signed JWT, as defined in section 2.2.1.1.

The JWT fields MUST be given the following values:

iat (OPTIONAL): See [OIDCCore] section 2.

refresh_token (REQUIRED): A primary refresh token that was previously received from the server. See section 3.1.5.1.2.

request_nonce (REQUIRED): A nonce previously obtained from the server by making the request described in section 3.1.5.1.1.

Changed to:

The x-ms-RefreshTokenCredential HTTP header is a signed JWT, as defined in section 2.2.1.1.

The JWT fields MUST be given the following values:

iat (OPTIONAL): See [OIDCCore] section 2.

refresh_token (REQUIRED): A primary refresh token that was previously received from the server. See section 3.1.5.1.2.

request_nonce (REQUIRED): A nonce previously obtained from the server by making the request. See section 3.1.5.1.1.

x_client_platform (OPTIONAL): The value is used to inform the AAD/server the platform on which this header is created.<7>

win_ver (OPTIONAL): This claim has the operating system version information.<8>

windows_api_version (OPTIONAL): The version value is "2.0.1". This information is used to indicate to the server that the client has the ability to handle nonce challenges.

<7> Section 3.2.5.2.1.1.1: The default value is "windows" for the Windows platform.

<8> Section 3.2.5.2.1.1.1: The win_ver value is the Windows version information.

Section 3.2.5.2.1.1.1 x-ms-RefreshTokenCredential HTTP header format

Added JWT field values x_client_platform, win_ver, and windows_api_version to inform the AAD/server.

Changed from:

The x-ms-DeviceCredential HTTP header, as defined in section 2.2.1.2, is a signed JWT.

The JWT fields MUST be given the following values:<9>

grant_type (OPTIONAL): Set to "device_auth" if present.

iss (OPTIONAL): Set to "aad:brokerplugin" if present.

request_nonce (REQUIRED): A nonce previously obtained from the server by making the request. See section 3.1.5.1.1.

<9> Section 3.2.5.2.1.1.2: The Windows implementation of the client role supplies the values specified for grant_type and iss, but the Windows implementation of the server role ignores them.

Changed to:

The x-ms-DeviceCredential HTTP header, as defined in section 2.2.1.2, is a signed JWT.

The JWT fields MUST be given the following values:<9>

grant_type (OPTIONAL): Set to "device_auth" if present.

iss (OPTIONAL): Set to "aad:brokerplugin" if present.

request_nonce (REQUIRED): A nonce previously obtained from the server by making the request. See section 3.1.5.1.1.

x_client_platform (OPTIONAL): The value is used to inform AAD/server the platform on which this header is created.<10>

win_ver (OPTIONAL): This claim has the operating system version information.<11>

windows_api_version (OPTIONAL): The version value is "2.0.1". This information is used to indicate to the server that the client has the ability to handle nonce challenges.

<9> Section 3.2.5.2.1.1.2: The Windows implementation of the client role supplies the values specified for grant_type and iss, but the Windows implementation of the server role ignores them.

<10> Section 3.2.5.2.1.1.2: The default value is "windows" for the Windows platform.

<11> Section 3.2.5.2.1.1.2: The win_ver value is the Windows version information.

2023/07/11

See the diff doc for details of the changes.

Section 3.1.5.1.2.3  Processing Details

Description: Clarified how the client uses a previously received Nonce from the server: if user JWT authentication (section 3.2.5.1.2.1.2) is in use, the same Nonce is populated as a request_nonce field in the JWT assertion before signing.

Added note identifying the operating systems that support this feature, as specified in [MSFT-CVE-2023-35348].

Changed from:

The client uses the Nonce abstract data model (ADM) element value (section 3.1.1) that it received from the server in a previous nonce request (section 3.1.5.1.1) to populate the request_nonce field of the request.

Changed to:

The client uses the Nonce abstract data model (ADM) element value (section 3.1.1) that it received from the server in a previous nonce request (section 3.1.5.1.1) to populate the request_nonce field of the request. If using user JSON Web Token (JWT) authentication, as described in section 3.2.5.1.2.1.2, the same Nonce should be populated as a request_nonce field in the JWT assertion before signing it.

Note: This feature is supported by the operating systems specified in [MSFT-CVE-2023-35348], each with its related KB article download installed.

Section 3.2.5.1.2.1.2 User JWT Authentication

Description: Added 'request_nonce' as a required field in the 'assertion' field (the signed JWT used to authenticate the user), as required by the client.

Added note identifying the operating systems that support this feature, as specified in [MSFT-CVE-2023-35348].

Changed from:

aud (REQUIRED): The Issuer Identifier ([OIDCCore] section 1.2) of the server that the client is sending the request to.

The signature header fields of the assertion field MUST be given the following values:

Changed to:

aud (REQUIRED): The Issuer Identifier ([OIDCCore] section 1.2) of the server that the client is sending the request to.

request_nonce (REQUIRED): This is the same value as request_nonce as contained in the request body (section 3.2.5.1.2.1).

Note: The request_nonce value is supported in the assertion field by the operating systems specified in [MSFT-CVE-2023-35348], each with its related KB article download installed.

The signature header fields of the assertion field MUST be given the following values:

Section 3.2.5.1.2.3 Processing Details

Description: Clarified the user JWT authentication processing steps taken by the server when the authenticated device kid is a mismatch with the assertion JWT kid. The server then verifies whether the request_nonce field in the assertion matches the request_nonce in the request body, with the server returning an "invalid grant" error upon mismatch.

Added note identifying the operating systems that support this feature, as specified in [MSFT-CVE-2023-35348].

Changed from:

2.  It finds the public key for the signature by finding the value of the msDS-KeyCredentialLink attribute on the user object for which the SHA-256 hash ([FIPS180-2] section 6.2.2) of the attribute value matches the kid field of the assertion JWT.

Changed to:

2.  It finds the public key for the signature by finding the value of the msDS-KeyCredentialLink attribute on the user object for which the SHA-256 hash ([FIPS180-2] section 6.2.2) of the attribute value matches the kid field of the assertion JWT.

If the kid of the authenticated device does not match the kid of the assertion JWT, the server SHOULD verify that the assertion contains the request_nonce field and that it also matches the request_nonce present in the request body (section 3.2.5.1.2.1). Otherwise, the server MUST return the "invalid_grant" error using the format described in [RFC6749] section 5.

Note: This behavior is supported by the operating systems specified in [MSFT-CVE-2023-35348], each with its related KB article download installed.

*Date format: YYYY/MM/DD