[POC] Use secure HTTP client factory and force certificate credential for token binding #3559
Conversation
|
|
||
| namespace Microsoft.Identity.Web | ||
| { | ||
| internal sealed class MsalMtlsHttpClientFactory : IMsalMtlsHttpClientFactory |
There was a problem hiding this comment.
I don't understand the purpose of this class. It derives from IMsalMtlsHttpClientFactory and encapsulates an IMsalMtlsHttpClientFactory .
I think what you mean is for a class that dervices from IMsalMtlsHttpClientFactory but it should encapsulate System.Net.HttpIHttpClientFactory
There was a problem hiding this comment.
I consider it more like an adaptor because IMsalMtlsHttpClientFactory doesn't derive from IHttpClientFactory, which means that it this class needed need to implement what SecureHttpClientFactory does but we'd have a code duplication between MSAL.NET and Identity.Web in this case. I don't have strong opinion there though, so it's better to have encapsulated IHttpClientFactory rather than IMsalMtlsHttpClientFactory, is it correct?
There was a problem hiding this comment.
I think the simplest for now is to intervene here:
WithHttpClientFactory.
If you do want to inject HTTP transport, then you must provide an adapter between IHttpClientFactory and IMsalMtlsHttpClientFactory i.e.
public class Impl : IMsalMtlsHttpClientFactory
{
Impl(IHttpClientFactory aspFactory) { }
}However, I am not sure how / if this ^^ adapter can be implemnted.
There was a problem hiding this comment.
I changed it to use IHttpClientFactory for non-mTLS HTTP clients with managing a pool of mTLS clients, which are created in place (due to a fact that its handler needs to be configured before an actual instance is created).
| // regardless of credential type being set, bound token requires a certificate | ||
| if (isTokenBinding) | ||
| { | ||
| if (credential.Certificate == null) |
2 participants
No description provided.