PoPAuthenticationConfiguration Class

Definition

Details about the HTTP request and configuration properties used to construct a proof of possession request.

public class PoPAuthenticationConfiguration
type PoPAuthenticationConfiguration = class
Public Class PoPAuthenticationConfiguration
Inheritance
PoPAuthenticationConfiguration

Remarks

POP tokens are signed by the process making the request. By default, MSAL will generate a key in memory. To use a hardware key or an external key, implement PopCryptoProvider.

Constructors

PoPAuthenticationConfiguration()

Creates a configuration using the default key management - an RSA key will be created in memory and rotated every 8h. Uses HttpMethod, HttpHost etc. to control which elements of the request should be included in the POP token.

PoPAuthenticationConfiguration(HttpRequestMessage)

Creates a configuration using the default key management, and which binds all the details of the HttpRequestMessage.

PoPAuthenticationConfiguration(Uri)

Creates a configuration using the default key management, and which binds only the Uri part of the HTTP request.

Properties

HttpHost

The URL host of the protected API. The "u" part of a signed HTTP request. This MAY include the port separated from the host by a colon in host:port format. Optional.

HttpMethod

The HTTP method ("GET", "POST" etc.) method that will be bound to the token. Leave null and the POP token will not be bound to the method. Corresponds to the "m" part of the a signed HTTP request. Optional.

HttpPath

The "p" part of the signed HTTP request.

Nonce

If the protected resource (RP) requires use of a special nonce, they will publish it as part of the WWWAuthenticate header associated with a 401 HTTP response or as part of the AuthorityInfo header associated with 200 response. Set it here to make it part of the Signed HTTP Request part of the POP token.

PopCryptoProvider

An extensibility point that allows developers to define their own key management. Leave null and MSAL will use a default implementation, which generates an RSA key pair in memory and refreshes it every 8 hours. Important note: if you want to change the key (e.g. rotate the key), you should create a new instance of this object, as MSAL.NET will keep a thumbprint of keys in memory.

SignHttpRequest

Allows app developers to bypass the creation of the SignedHttpRequest envelope by setting this property to false. App developers can use a package like Microsoft.IdentityModel.Protocols.SignedHttpRequest to later create and sign the envelope.

Applies to