From 18f3a2740ee1be2111759142e4174db08adb6397 Mon Sep 17 00:00:00 2001 From: Akanksha Patel Date: Mon, 23 Dec 2024 16:40:33 +0530 Subject: [PATCH] [OAuth2Manager] Remove APIs for Implicit grant type (#4979) * [OAuth2Manager] Remove APIs for Implicit grant type * Remove implicit refernces * Telemetry * Add security recommendations to OAuth2Manager spec. --- dev/OAuth/AuthRequestAsyncOperation.cpp | 52 ---------- dev/OAuth/AuthRequestAsyncOperation.h | 1 - dev/OAuth/OAuth.idl | 49 ++------- dev/OAuth/OAuth2Manager.cpp | 92 ----------------- dev/OAuth/OAuth2Manager.h | 21 ---- dev/OAuth/OAuth2ManagerTelemetry.h | 2 - dev/OAuth/TokenRequestParams.cpp | 10 -- dev/OAuth/TokenRequestParams.h | 2 - specs/OAuth/OAuth2Manager.md | 128 ++---------------------- 9 files changed, 15 insertions(+), 342 deletions(-) diff --git a/dev/OAuth/AuthRequestAsyncOperation.cpp b/dev/OAuth/AuthRequestAsyncOperation.cpp index 60571a97e7..f98bd21ba4 100644 --- a/dev/OAuth/AuthRequestAsyncOperation.cpp +++ b/dev/OAuth/AuthRequestAsyncOperation.cpp @@ -13,58 +13,6 @@ using namespace winrt::Windows::Foundation; using namespace winrt::Windows::Foundation::Collections; using namespace winrt::Windows::Security::Cryptography; -AuthRequestAsyncOperation::AuthRequestAsyncOperation(winrt::hstring& state) -{ - try - { - if (state.empty()) - { - while (true) - { - state = random_base64urlencoded_string(32); - if (try_create_pipe(state)) - { - break; - } - - // 'FILE_FLAG_FIRST_PIPE_INSTANCE' is documented as failing with 'ERROR_ACCESS_DENIED' if a pipe - // with the same name has already been created. - if (auto err = ::GetLastError(); err != ERROR_ACCESS_DENIED) - { - throw winrt::hresult_error(HRESULT_FROM_WIN32(err), - L"Generation of a unique state value unexpectedly failed"); - } - } - } - else if (!try_create_pipe(state)) - { - auto err = ::GetLastError(); - auto msg = - (err == ERROR_ACCESS_DENIED) ? L"Provided state value is not unique" : L"Failed to create named pipe"; - throw winrt::hresult_error(HRESULT_FROM_WIN32(err), msg); - } - - m_overlapped.hEvent = ::CreateEventW(nullptr, true, false, nullptr); - if (!m_overlapped.hEvent) - { - throw winrt::hresult_error(HRESULT_FROM_WIN32(::GetLastError()), L"Failed to create an event"); - } - - m_ptp.reset(::CreateThreadpoolWait(async_callback, this, nullptr)); // Use reset() to initialize - if (!m_ptp) - { - throw winrt::hresult_error(HRESULT_FROM_WIN32(::GetLastError()), L"Failed to create threadpool wait"); - } - connect_to_new_client(); - } - catch (...) - { - // Throwing in a constructor will cause the destructor not to run... - destroy(); - throw; - } -} - AuthRequestAsyncOperation::AuthRequestAsyncOperation(implementation::AuthRequestParams* params) : m_params(params->get_strong()) { diff --git a/dev/OAuth/AuthRequestAsyncOperation.h b/dev/OAuth/AuthRequestAsyncOperation.h index 07fa7f2ecf..b16a326697 100644 --- a/dev/OAuth/AuthRequestAsyncOperation.h +++ b/dev/OAuth/AuthRequestAsyncOperation.h @@ -9,7 +9,6 @@ struct AuthRequestAsyncOperation : winrt::implements, foundation::IAsyncInfo> { - AuthRequestAsyncOperation(winrt::hstring& state); AuthRequestAsyncOperation(oauth::implementation::AuthRequestParams* params); ~AuthRequestAsyncOperation(); diff --git a/dev/OAuth/OAuth.idl b/dev/OAuth/OAuth.idl index c73522b7c4..7b7a2a28ba 100644 --- a/dev/OAuth/OAuth.idl +++ b/dev/OAuth/OAuth.idl @@ -29,21 +29,6 @@ namespace Microsoft.Security.Authentication.OAuth [contract(OAuthContract, 1), feature(Feature_OAuth)] static runtimeclass OAuth2Manager { - // Initiates an authorization request in the user's default browser as described by RFC 6749 section 3.1. The - // returned 'IAsyncOperation' will remain in the 'Started' state until it is either cancelled or completed by a - // call to 'CompleteAuthRequest'. This performs authorization of response_type="token". - static Windows.Foundation.IAsyncOperation RequestAuthAsync( - Microsoft.UI.WindowId parentWindowId, - Windows.Foundation.Uri completeAuthEndpoint, - Windows.Foundation.Uri redirectUri); - - // Initiates an authorization request in the user's default browser as described by RFC 6749 section 3.1. The - // returned 'IAsyncOperation' will remain in the 'Started' state until it is either cancelled or completed by a - // call to 'CompleteAuthRequest'.This performs authorization of response_type="token". - static Windows.Foundation.IAsyncOperation RequestAuthAsync( - Microsoft.UI.WindowId parentWindowId, - Windows.Foundation.Uri completeAuthEndpoint); - // Initiates an authorization request in the user's default browser as described by RFC 6749 section 3.1. The // returned 'IAsyncOperation' will remain in the 'Started' state until it is either cancelled or completed by a // call to 'CompleteAuthRequest'. @@ -98,16 +83,8 @@ namespace Microsoft.Security.Authentication.OAuth // parameters as well as a redirect URI, which is frequently specified. static AuthRequestParams CreateForAuthorizationCodeRequest(String clientId, Windows.Foundation.Uri redirectUri); - // Helper method to create for an implicit grant request ("token" response type) with required parameters, per - // RFC 6749 section 4.2.1. - static AuthRequestParams CreateForImplicitRequest(String clientId); - // Helper method to create for an implicit grant request ("token" response type) with required parameters as - // well as a redirect URI, which is frequently specified. - static AuthRequestParams CreateForImplicitRequest(String clientId, Windows.Foundation.Uri redirectUri); - // Specifies the required "response_type" parameter of the authorization request. This property is initialized - // by the creation function used ("code" for 'CreateForAuthorizationCodeRequest' and "token" for - // 'CreateForImplicitRequest'). + // by the creation function used ("code" for 'CreateForAuthorizationCodeRequest'). // // Defined by RFC 6749: The OAuth 2.0 Authorization Framework, sections 4.1.1 and 4.2.1 // https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1 @@ -157,9 +134,7 @@ namespace Microsoft.Security.Authentication.OAuth String CodeChallenge{ get; set; }; // Specifies the optional "code_challenge_method" parameter of the authorization request. For authorization code - // requests, this value defaults to 'S256'. For implicit requests, this value defaults to 'None' and cannot be - // changed. - // + // requests, this value defaults to 'S256'. // Defined by RFC 7636: Proof Key for Code Exchange by OAuth Public Clients, section 4.3 // https://www.rfc-editor.org/rfc/rfc7636#section-4.3 CodeChallengeMethodKind CodeChallengeMethod { get; set; }; @@ -186,30 +161,22 @@ namespace Microsoft.Security.Authentication.OAuth // https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2 String Code { get; }; - // From the "access_token" parameter of the authorization response. Set only if the request was an implicit - // request. - // + // From the "access_token" parameter of the authorization response. // Defined by RFC 6749: The OAuth 2.0 Authorization Framework, section 4.2.2 // https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2 String AccessToken { get; }; - // From the "token_type" parameter of the authorization response. Set only if the request was an implicit - // request. - // + // From the "token_type" parameter of the authorization response. // Defined by RFC 6749: The OAuth 2.0 Authorization Framework, section 4.2.2 // https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2 String TokenType { get; }; - // From the "expires_in" parameter of the authorization response. An optional parameter that may be set only if - // the request was an implicit request. - // + // From the "expires_in" parameter of the authorization response. // Defined by RFC 6749: The OAuth 2.0 Authorization Framework, section 4.2.2 // https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2 String ExpiresIn { get; }; // TODO: DateTime? - // From the "scope" parameter of the authorization response. An optional parameter that may be set only if the - // request was an implicit request. - // + // From the "scope" parameter of the authorization response. // Defined by RFC 6749: The OAuth 2.0 Authorization Framework, section 4.2.2 // https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2 String Scope { get; }; @@ -281,10 +248,6 @@ namespace Microsoft.Security.Authentication.OAuth // 4.1.3. static TokenRequestParams CreateForAuthorizationCodeRequest(AuthResponse authResponse); - // Helper method to create for a resource owner password credentials grant request ("password" grant type), - // initialized with the required parameters, per RFC 6749 section 4.3.2. - static TokenRequestParams CreateForResourceOwnerPasswordCredentials(String username, String password); - // Helper method to create for a client credentials grant request ("client_credentials" grant type), initialized // with the required parameters, per RFC 6749 section 4.4.2. static TokenRequestParams CreateForClientCredentials(); diff --git a/dev/OAuth/OAuth2Manager.cpp b/dev/OAuth/OAuth2Manager.cpp index 4ae3e16018..601f1ee967 100644 --- a/dev/OAuth/OAuth2Manager.cpp +++ b/dev/OAuth/OAuth2Manager.cpp @@ -23,74 +23,6 @@ using namespace winrt::Windows::Web::Http; namespace winrt::Microsoft::Security::Authentication::OAuth::factory_implementation { - IAsyncOperation OAuth2Manager::RequestAuthAsync(winrt::Microsoft::UI::WindowId const& parentWindowId, - const Uri& completeAuthEndpoint, - const Uri& redirectUri) - { - THROW_HR_IF(E_NOTIMPL, !::Microsoft::Security::Authentication::OAuth::Feature_OAuth::IsEnabled()); - - bool isAppPackaged = m_telemetryHelper.IsPackagedApp(); - PCWSTR appName = m_telemetryHelper.GetAppName().c_str(); - OAuth2ManagerTelemetry::RequestAuthAsyncTriggered(isAppPackaged, appName, true); - - winrt::hstring state; - auto asyncOp = winrt::make_self(state); - - { - std::lock_guard guard{ m_mutex }; - m_pendingAuthRequests.push_back(AuthRequestState{ state, asyncOp }); - } - - try - { - // Pipe server has been successfully set up. Initiate the launch - auto url = create_implicit_url(completeAuthEndpoint, state, redirectUri); - - // Launch browser - execute_shell(parentWindowId, url); - } - catch (...) - { - try_remove(asyncOp.get()); - throw; - } - - return *asyncOp; - } - - IAsyncOperation OAuth2Manager::RequestAuthAsync(winrt::Microsoft::UI::WindowId const& parentWindowId, - const Uri& completeAuthEndpoint) - { - THROW_HR_IF(E_NOTIMPL, !::Microsoft::Security::Authentication::OAuth::Feature_OAuth::IsEnabled()); - - - bool isAppPackaged = m_telemetryHelper.IsPackagedApp(); - PCWSTR appName = m_telemetryHelper.GetAppName().c_str(); - OAuth2ManagerTelemetry::RequestAuthAsyncTriggered(isAppPackaged, appName, false); - - winrt::hstring state; - auto asyncOp = winrt::make_self(state); - - { - std::lock_guard guard{ m_mutex }; - m_pendingAuthRequests.push_back(AuthRequestState{ state, asyncOp }); - } - - try - { - // Pipe server has been successfully set up. Initiate the launch - auto url = create_implicit_url(completeAuthEndpoint, state, nullptr); - - // Launch browser - execute_shell(parentWindowId, url); - } - catch (...) - { - try_remove(asyncOp.get()); - throw; - } - return *asyncOp; - } IAsyncOperation OAuth2Manager::RequestAuthWithParamsAsync(winrt::Microsoft::UI::WindowId const& parentWindowId, const Uri& authEndpoint, @@ -408,30 +340,6 @@ namespace winrt::Microsoft::Security::Authentication::OAuth::factory_implementat return result; } - std::wstring OAuth2Manager::create_implicit_url(const foundation::Uri& completeAuthEndpoint, const winrt::hstring& state, const foundation::Uri& redirectUri) - { - std::lock_guard guard{ m_mutex }; - // Per RFC 6749 section 3.1, the auth endpoint URI *MAY* contain a query string, which must be retained - std::wstring result{ completeAuthEndpoint.RawUri() }; - if (completeAuthEndpoint.Query().empty()) - { - result += L"?state="; - } - else - { - result += L"&state="; - } - result += Uri::EscapeComponent(state); - result += L"&response_type=token"; - - if (redirectUri) - { - result += L"&redirect_uri="; - result += Uri::EscapeComponent(redirectUri.RawUri()); - } - return result; - } - void OAuth2Manager::execute_shell(winrt::Microsoft::UI::WindowId const& parentWindowId, const std::wstring& url) { // Convert parentWindowId to HWND diff --git a/dev/OAuth/OAuth2Manager.h b/dev/OAuth/OAuth2Manager.h index fc1f7012ac..352a4cba58 100644 --- a/dev/OAuth/OAuth2Manager.h +++ b/dev/OAuth/OAuth2Manager.h @@ -21,10 +21,6 @@ namespace winrt::Microsoft::Security::Authentication::OAuth::factory_implementat struct OAuth2Manager : OAuth2ManagerT { - foundation::IAsyncOperation RequestAuthAsync( - winrt::Microsoft::UI::WindowId const& parentWindowId, const foundation::Uri& completeAuthEndpoint, const foundation::Uri& redirectUri); - foundation::IAsyncOperation RequestAuthAsync( - winrt::Microsoft::UI::WindowId const& parentWindowId, const foundation::Uri& completeAuthEndpoint); foundation::IAsyncOperation RequestAuthWithParamsAsync( winrt::Microsoft::UI::WindowId const& parentWindowId, const foundation::Uri& authEndpoint, const oauth::AuthRequestParams& params); bool CompleteAuthRequest(const foundation::Uri& responseUri); @@ -41,7 +37,6 @@ namespace winrt::Microsoft::Security::Authentication::OAuth::factory_implementat private: AuthRequestState try_remove(AuthRequestAsyncOperation* op); - std::wstring create_implicit_url(const foundation::Uri& completeAuthEndpoint, const winrt::hstring& state, const foundation::Uri& redirectUri); void execute_shell(winrt::Microsoft::UI::WindowId const& parentWindowId, const std::wstring& url); std::shared_mutex m_mutex; TelemetryHelper m_telemetryHelper; @@ -53,22 +48,6 @@ namespace winrt::Microsoft::Security::Authentication::OAuth::implementation { struct OAuth2Manager { - static foundation::IAsyncOperation RequestAuthAsync( - winrt::Microsoft::UI::WindowId const& parentWindowId, - foundation::Uri completeAuthEndpoint, foundation::Uri redirectUri) - { - return winrt::make_self()->RequestAuthAsync(parentWindowId, - completeAuthEndpoint, - redirectUri); - } - - static foundation::IAsyncOperation RequestAuthAsync( - winrt::Microsoft::UI::WindowId const& parentWindowId, - foundation::Uri completeAuthEndpoint) - { - return winrt::make_self()->RequestAuthAsync(parentWindowId, - completeAuthEndpoint); - } static foundation::IAsyncOperation RequestAuthWithParamsAsync( winrt::Microsoft::UI::WindowId const& parentWindowId, diff --git a/dev/OAuth/OAuth2ManagerTelemetry.h b/dev/OAuth/OAuth2ManagerTelemetry.h index b2e3d3a5cc..afb710c153 100644 --- a/dev/OAuth/OAuth2ManagerTelemetry.h +++ b/dev/OAuth/OAuth2ManagerTelemetry.h @@ -10,8 +10,6 @@ class OAuth2ManagerTelemetry : public wil::TraceLoggingProvider (0x27d8ee3f, 0xd704, 0x45d6, 0xb6, 0x6c, 0x1d, 0xad, 0x95, 0x79, 0x5c, 0xe5)); //{27d8ee3f-d704-45d6-b66c-1dad95795ce5} public: - DEFINE_COMPLIANT_MEASURES_EVENT_PARAM3(RequestAuthAsyncTriggered, PDT_ProductAndServicePerformance, - bool, IsAppPackaged, PCWSTR, AppName, bool, IsRedirectURIPassed); DEFINE_COMPLIANT_MEASURES_EVENT_PARAM3(RequestAuthWithParamsAsyncTriggered, PDT_ProductAndServicePerformance, bool, IsAppPackaged, PCWSTR, AppName, PCWSTR, ResponseType); diff --git a/dev/OAuth/TokenRequestParams.cpp b/dev/OAuth/TokenRequestParams.cpp index bfb7682f94..ba3844e599 100644 --- a/dev/OAuth/TokenRequestParams.cpp +++ b/dev/OAuth/TokenRequestParams.cpp @@ -45,16 +45,6 @@ namespace winrt::Microsoft::Security::Authentication::OAuth::implementation return *result; } - oauth::TokenRequestParams TokenRequestParams::CreateForResourceOwnerPasswordCredentials( - const winrt::hstring& username, const winrt::hstring& password) - { - auto result = winrt::make_self(L"password"); - result->m_username = username; - result->m_password = password; - - return *result; - } - oauth::TokenRequestParams TokenRequestParams::CreateForClientCredentials() { return winrt::make(L"client_credentials"); diff --git a/dev/OAuth/TokenRequestParams.h b/dev/OAuth/TokenRequestParams.h index a8b434b9c0..d805606d2c 100644 --- a/dev/OAuth/TokenRequestParams.h +++ b/dev/OAuth/TokenRequestParams.h @@ -15,8 +15,6 @@ namespace winrt::Microsoft::Security::Authentication::OAuth::implementation TokenRequestParams(const winrt::hstring& grantType); static oauth::TokenRequestParams CreateForAuthorizationCodeRequest(const oauth::AuthResponse& authResponse); - static oauth::TokenRequestParams CreateForResourceOwnerPasswordCredentials(const winrt::hstring& username, - const winrt::hstring& password); static oauth::TokenRequestParams CreateForClientCredentials(); static oauth::TokenRequestParams CreateForExtension(const foundation::Uri& extensionUri); static oauth::TokenRequestParams CreateForRefreshToken(const winrt::hstring& refreshToken); diff --git a/specs/OAuth/OAuth2Manager.md b/specs/OAuth/OAuth2Manager.md index 05283e477d..395b22df76 100644 --- a/specs/OAuth/OAuth2Manager.md +++ b/specs/OAuth/OAuth2Manager.md @@ -4,7 +4,9 @@ OAuth2Manager API This is the spec for proposal: [Issue #441](https://github.com/microsoft/WindowsAppSDK/issues/441) This spec details the API of a new `OAuth2Manager` in WinAppSDK, -enabling desktop applications such as WinUI3 to seamlessly perform OAuth functionality across diverse Windows platforms. +enabling desktop applications such as WinUI3 to seamlessly perform OAuth functionality across diverse Windows platforms. +OAuth2Manager API intentionally does not provide API for the implicit request & resource owner password credential because of the security concerns that follow it. It is recommended to use the +authorization code grant type using Proof Key for Code Exchange (PKCE). @@ -39,47 +41,6 @@ and OAuth 2.0 for Native Apps [RFC 8252](https://tools.ietf.org/html/rfc8252). ## Perform OAuth 2.0 (c++) - Performing an Implicit Request with redirect URI(grant type/'response_type' = "token") - - ```c++ - // Get the WindowId for the application window - Microsoft::UI::WindowId parentWindowId = this->AppWindow().Id(); - -AuthRequestResult authRequestResult = co_await OAuth2Manager::RequestAuthAsync(parentWindowId, - Uri(L"https://my.server.com/oauth/authorize?client_id=&scope="), Uri(L"my-app:/oauth-callback/")); -if (AuthResponse authResponse = authRequestResult.Response()) -{ - //To obtain the access token - authResponse.AccessToken(); -} -else -{ - AuthFailure authFailure = authRequestResult.Failure(); - NotifyFailure(authFailure.Error(), authFailure.ErrorDescription()); -} -``` - -Performing an Implicit Request without redirect URI(grant type/'response_type' = "token") - - ```c++ - // Get the WindowId for the application window - Microsoft::UI::WindowId parentWindowId = this->AppWindow().Id(); - -AuthRequestResult authRequestResult = co_await OAuth2Manager::RequestAuthAsync(parentWindowId, - Uri(L"https://my.server.com/oauth/authorize?client_id=&scope=")); -if (AuthResponse authResponse = authRequestResult.Response()) -{ - //To obtain the access token - authResponse.AccessToken(); -} -else -{ - AuthFailure authFailure = authRequestResult.Failure(); - NotifyFailure(authFailure.Error(), authFailure.ErrorDescription()); -} -``` - - Performing an Authorization Code Request (grant type/'response_type' = "code") ```c++ @@ -190,37 +151,6 @@ else } ``` -Performing an Implicit Request for a token (grant type/'response_type' = "token") - - ```c++ - // Get the WindowId for the application window -Microsoft::UI::WindowId parentWindowId = this->AppWindow().Id(); - -AuthRequestParams authRequestParams = AuthRequestParams::CreateForImplicitRequest(L"my_client_id", - Uri(L"my-app:/oauth-callback/")); -authRequestParams.Scope(L"user:email user:birthday"); - -AuthRequestResult authRequestResult = co_await OAuth2Manager::RequestAuthWithParamsAsync(parentWindowId, - Uri(L"https://my.server.com/oauth/authorize"), authRequestParams); -if (AuthResponse authResponse = authRequestResult.Response()) -{ - //To obtain the access token - String accessToken = tokenResponse.AccessToken(); - - String tokenType = tokenResponse.TokenType(); - - // Use the access token for resources - DoRequestWithToken(accessToken, tokenType); -} -else -{ - AuthFailure authFailure = authRequestResult.Failure(); - NotifyFailure(authFailure.Error(), authFailure.ErrorDescription()); -} -``` - -> Note: The authorization server MUST NOT issue a refresh token for implicit request. - Completing an Authorization Request from a Protocol Activation ```c++ @@ -255,8 +185,6 @@ complete an authorization request, and request an access token for a user throug | Name | Description | Parameters | Returns | |-|-|-|-| -| RequestAuthAsync(Microsoft.UI.WindowId, Windows.Foundation.Uri, Windows.Foundation.Uri) | Initiates an authorization request in the user's default browser. This performs an access token request of implicit grant type. | Microsoft.UI.WindowId `parentWindowId`, Windows.Foundation.Uri `authEndPoint` , Windows.Foundation.Uri `redirectUri` | Windows.Foundation.IAsyncOperation< AuthRequestResult > | -| RequestAuthAsync(Microsoft.UI.WindowId, Windows.Foundation.Uri) | Initiates an authorization request in the user's default browser. This performs an access token request of implicit grant type. | Microsoft.UI.WindowId `parentWindowId`, Windows.Foundation.Uri `authEndPoint` | Windows.Foundation.IAsyncOperation< AuthRequestResult > | | RequestAuthWithParamsAsync(Microsoft.UI.WindowId, Windows.Foundation.Uri, AuthRequestParams) | Intiates auth request for a user in the user's default browser through a client.| Microsoft.UI.WindowId `parentWindowId`, Windows.Foundation.Uri `authEndPoint` , AuthRequestParams `params` | Windows.Foundation.IAsyncOperation< AuthRequestResult > | | CompleteAuthRequest(Windows.Foundation.Uri) | Completes an auth request through a redirect URI. | Windows.Foundation.Uri `responseUri` | Boolean | | RequestTokenAsync(Windows.Foundation.Uri, TokenRequestParams) | Initiates an access token request. | Windows.Foundation.Uri `tokenEndPoint` , TokenRequestParams `params` | Windows.Foundation.IAsyncOperation< TokenRequestResult > | @@ -322,8 +250,6 @@ response_type is described in section 3.1.1 of [RFC 6749](https://www.rfc-editor |-|-|-|-| | CreateForAuthorizationCodeRequest(String) | Helper method to create for an authorization code grant request ("code" response type) with required parameters. | String `clientId` | AuthRequestParams | | CreateForAuthorizationCodeRequest(String, Windows.Foundation.Uri) | Helper method to create for an authorization code grant request ("code" response type) with required parameters. | String `clientId` , Windows.Foundation.Uri `redirectUri` | AuthRequestParams | -| CreateForImplicitRequest(String) | Helper method to create for an implicit grant request ("token" response type) with required parameters. | String `clientId` | AuthRequestParams | -| CreateForImplicitRequest(String, Windows.Foundation.Uri) | Helper method to create for an implicit grant request ("token" response type) with required parameters. | String `clientId` , Windows.Foundation.Uri `redirectUri` | AuthRequestParams | ## AuthRequestParams Properties @@ -400,7 +326,6 @@ It's a class that provides methods to create a token request parameter object. T | Name | Description | Parameters | Returns | |-|-|-|-| | CreateForAuthorizationCodeRequest(AuthResponse) | Helper method to create for an authorization code grant request ("authorization_code" grant type) with required parameters extracted from the authorization response. | AuthResponse `authResponse` | TokenRequestParams | -| CreateForResourceOwnerPasswordCredentials(String, String) | Helper method to create for a resource owner password credentials grant request ("password" grant type) with required parameters. | String `username` , String `password` | TokenRequestParams | | CreateForClientCredentials() | Helper method to create for a client credentials grant request ("client_credentials" grant type) with required parameters. | None | TokenRequestParams | | CreateForExtension(Windows.Foundation.Uri) | Helper method to create for an extension grant request, using the provided URI for the grant type. | Windows.Foundation.Uri `extensionUri` | TokenRequestParams | | CreateForRefreshToken(String) | Helper method to create for an access token refresh request ("refresh_token" grant type) with required parameters. | String `refreshToken` | TokenRequestParams | @@ -505,18 +430,6 @@ namespace Microsoft.Security.Authentication.OAuth [contract(OAuthContract, 1)] static runtimeclass OAuth2Manager { - // Initiates an authorization request in the user's default browser as described by RFC 6749 section 3.1. The - // returned 'IAsyncOperation' will remain in the 'Started' state until it is either cancelled or completed by a - // call to 'CompleteAuthRequest'. This performs authorization of response_type="token". - static Windows.Foundation.IAsyncOperation RequestAuthAsync(Microsoft.UI.WindowId parentWindowId, - Windows.Foundation.Uri completeAuthEndpoint, - Windows.Foundation.Uri redirectUri); - - // Initiates an authorization request in the user's default browser as described by RFC 6749 section 3.1. The - // returned 'IAsyncOperation' will remain in the 'Started' state until it is either cancelled or completed by a - // call to 'CompleteAuthRequest'.This performs authorization of response_type="token". - static Windows.Foundation.IAsyncOperation RequestAuthAsync(Microsoft.UI.WindowId parentWindowId, - Windows.Foundation.Uri completeAuthEndpoint); // Initiates an authorization request in the user's default browser as described by RFC 6749 section 3.1. The // returned 'IAsyncOperation' will remain in the 'Started' state until it is either cancelled or completed by a @@ -572,17 +485,8 @@ namespace Microsoft.Security.Authentication.OAuth // parameters as well as a redirect URI, which is frequently specified. static AuthRequestParams CreateForAuthorizationCodeRequest(String clientId, Windows.Foundation.Uri redirectUri); - // Helper method to create for an implicit grant request ("token" response type) with required parameters, per - // RFC 6749 section 4.2.1. - static AuthRequestParams CreateForImplicitRequest(String clientId); - - // Helper method to create for an implicit grant request ("token" response type) with required parameters as - // well as a redirect URI, which is frequently specified. - static AuthRequestParams CreateForImplicitRequest(String clientId, Windows.Foundation.Uri redirectUri); - // Specifies the required "response_type" parameter of the authorization request. This property is initialized - // by the creation function used ("code" for 'CreateForAuthorizationCodeRequest' and "token" for - // 'CreateForImplicitRequest'). + // by the creation function used ("code" for 'CreateForAuthorizationCodeRequest'). // // Defined by RFC 6749: The OAuth 2.0 Authorization Framework, sections 4.1.1 and 4.2.1 // https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1 @@ -632,9 +536,7 @@ namespace Microsoft.Security.Authentication.OAuth String CodeChallenge { get; set; }; // Specifies the optional "code_challenge_method" parameter of the authorization request. For authorization code - // requests, this value defaults to 'S256'. For implicit requests, this value defaults to 'None' and cannot be - // changed. - // + // requests, this value defaults to 'S256'. // Defined by RFC 7636: Proof Key for Code Exchange by OAuth Public Clients, section 4.3 // https://www.rfc-editor.org/rfc/rfc7636#section-4.3 CodeChallengeMethodKind CodeChallengeMethod { get; set; }; @@ -661,30 +563,22 @@ namespace Microsoft.Security.Authentication.OAuth // https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2 String Code { get; }; - // From the "access_token" parameter of the authorization response. Set only if the request was an implicit - // request. - // + // From the "access_token" parameter of the authorization response. // Defined by RFC 6749: The OAuth 2.0 Authorization Framework, section 4.2.2 // https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2 String AccessToken { get; }; - // From the "token_type" parameter of the authorization response. Set only if the request was an implicit - // request. - // + // From the "token_type" parameter of the authorization response. // Defined by RFC 6749: The OAuth 2.0 Authorization Framework, section 4.2.2 // https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2 String TokenType { get; }; - // From the "expires_in" parameter of the authorization response. An optional parameter that may be set only if - // the request was an implicit request. - // + // From the "expires_in" parameter of the authorization response. // Defined by RFC 6749: The OAuth 2.0 Authorization Framework, section 4.2.2 // https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2 String ExpiresIn { get; }; // TODO: DateTime? - // From the "scope" parameter of the authorization response. An optional parameter that may be set only if the - // request was an implicit request. - // + // From the "scope" parameter of the authorization response. // Defined by RFC 6749: The OAuth 2.0 Authorization Framework, section 4.2.2 // https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2 String Scope { get; }; @@ -756,10 +650,6 @@ namespace Microsoft.Security.Authentication.OAuth // 4.1.3. static TokenRequestParams CreateForAuthorizationCodeRequest(AuthResponse authResponse); - // Helper method to create for a resource owner password credentials grant request ("password" grant type), - // initialized with the required parameters, per RFC 6749 section 4.3.2. - static TokenRequestParams CreateForResourceOwnerPasswordCredentials(String username, String password); - // Helper method to create for a client credentials grant request ("client_credentials" grant type), initialized // with the required parameters, per RFC 6749 section 4.4.2. static TokenRequestParams CreateForClientCredentials();