This feature entails adding CAE support for all clients lacking a custom challenge handler i.e., everyone except Key Vault and Storage.
Adding support involves adding logic to your BearerTokenAuthenticationPolicy such that it does the following:
- Detects when a CAE challenge is issued (401 response with a WWW-Authenticate header)
- Parses the WWW-Authenticate header (format here)
- validate that the
error value is "insufficient_claims"
- capture the
claims value and decode it from base64 encoding to a string
- Pass the string value of the un-encoded
claims to the TokenCredential via the TokenRequestContext or equivalent for your language via the Claims property
- Ensure that any local token caching is bypassed in the policy when the claims are populated from a CAE challenge
- Authorize the original request with the new token and send it through the pipeline again
- Return any response to the caller (don't try to handle a second challenge)
Example PRs:
Azure/azure-sdk-for-go#23414
Azure/azure-sdk-for-net#46277
This feature entails adding CAE support for all clients lacking a custom challenge handler i.e., everyone except Key Vault and Storage.
Adding support involves adding logic to your BearerTokenAuthenticationPolicy such that it does the following:
errorvalue is "insufficient_claims"claimsvalue and decode it from base64 encoding to a stringclaimsto theTokenCredentialvia theTokenRequestContextor equivalent for your language via theClaimspropertyExample PRs:
Azure/azure-sdk-for-go#23414
Azure/azure-sdk-for-net#46277