msal-rs 0.1.2

Microsoft Authentication Library for Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167

use std::{
    collections::HashMap,
    time::{SystemTime, UNIX_EPOCH},
};

use authority::Authority;
use base64::{engine::general_purpose, Engine};
use jsonwebtoken::{encode, Algorithm, EncodingKey, Header};
use reqwest::Client;
use serde::{Deserialize, Serialize};
use uuid::Uuid;

use crate::{authority, Error};

const CLIENT_ID: &str = "client_id";
const SCOPES: &str = "scope";
const GRANT_TYPE: &str = "grant_type";
const CLIENT_CREDENTIALS_GRANT: &str = "client_credentials";
const CLIENT_SECRET: &str = "client_secret";
const ASSERTION: &str = "client_assertion";
const ASSERTION_TYPE: &str = "client_assertion_type";
const CLIENT_ASSERTION_GRANT_TYPE: &str = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";

pub enum ClientCredential {
    ClientSecret(String),
    Certificate(Certificate),
}

impl ClientCredential {
    /// Create a new client credential from a client secret.
    ///
    /// See: [1-Call-MsGraph-WithSecret](https://github.com/Azure-Samples/ms-identity-python-daemon/blob/master/1-Call-MsGraph-WithSecret/README.md)
    pub fn from_secret(secret: String) -> Self {
        ClientCredential::ClientSecret(secret)
    }

    /// Create a new client credential from a certificate.
    ///
    /// See: [2-Call-MsGraph-WithCertificate](https://github.com/Azure-Samples/ms-identity-python-daemon/blob/master/2-Call-MsGraph-WithCertificate/README.md)
    pub fn from_certificate(private_key: Vec<u8>, thumbprint: String) -> Self {
        ClientCredential::Certificate(Certificate {
            private_key,
            thumbprint,
        })
    }
}

pub struct Certificate {
    private_key: Vec<u8>,
    thumbprint: String,
}

pub struct ConfidentialClient {
    client_id: String,
    authority: Authority,
    credential: ClientCredential,
    http_client: Client,
}

impl ConfidentialClient {
    pub async fn new(
        client_id: &str,
        authority: &str,
        credential: ClientCredential,
    ) -> Result<ConfidentialClient, Error> {
        ConfidentialClient::with_http_client(client_id, authority, credential, Client::new()).await
    }

    pub async fn with_http_client(
        client_id: &str,
        authority: &str,
        credential: ClientCredential,
        http_client: Client,
    ) -> Result<ConfidentialClient, Error> {
        let authority = Authority::new(authority, &http_client).await?;

        Ok(ConfidentialClient {
            client_id: client_id.to_string(),
            authority,
            credential,
            http_client,
        })
    }

    pub async fn acquire_token_silent(&self, scopes: &[&str]) -> Result<TokenResponse, Error> {
        let mut params = HashMap::new();

        let assertion;
        match &self.credential {
            ClientCredential::ClientSecret(client_secret) => {
                params.insert(CLIENT_SECRET, client_secret.as_str());
            }
            ClientCredential::Certificate(certificate) => {
                let now = SystemTime::now()
                    .duration_since(UNIX_EPOCH)
                    .unwrap()
                    .as_secs();
                let audience = &self.authority.token_endpoint;
                let issuer = &self.client_id;
                let uuid = Uuid::new_v4().to_string();
                let claims = AssertionClaims {
                    aud: audience,
                    sub: issuer,
                    iss: issuer,
                    exp: 600 + now,
                    iat: now,
                    jti: uuid.as_str(),
                };

                let encoding_key = EncodingKey::from_rsa_pem(&certificate.private_key)?;
                let mut header = Header::new(Algorithm::RS256);

                let sha1_thumbprint =
                    general_purpose::STANDARD.encode(hex::decode(&certificate.thumbprint)?);
                header.x5t = Some(sha1_thumbprint);

                assertion = encode(&header, &claims, &encoding_key)?;

                params.insert(ASSERTION, &assertion);
                params.insert(ASSERTION_TYPE, CLIENT_ASSERTION_GRANT_TYPE);
            }
        }

        params.insert(CLIENT_ID, &self.client_id);
        let scope = scopes.join(" ");
        params.insert(SCOPES, &scope);
        params.insert(GRANT_TYPE, CLIENT_CREDENTIALS_GRANT);

        let response = self
            .http_client
            .post(&self.authority.token_endpoint)
            .form(&params)
            .send()
            .await?;

        let response: TokenResponse = response.json().await?;

        Ok(response)
    }
}

#[derive(Deserialize, Debug)]
pub struct TokenResponse {
    pub expires_in: Option<u64>,
    pub ext_expires_in: Option<u64>,
    pub access_token: Option<String>,
    pub refresh_token: Option<String>,
    pub id_token: Option<String>,

    // Error
    pub error: Option<String>,
    pub error_description: Option<String>,
    pub error_codes: Option<Vec<usize>>,
    pub timestamp: Option<String>,
    pub trace_id: Option<String>,
    pub correlation_id: Option<String>,
}

#[derive(Debug, Serialize)]
struct AssertionClaims<'a> {
    aud: &'a str,
    sub: &'a str,
    iss: &'a str,
    jti: &'a str,
    iat: u64,
    exp: u64,
}