In ClientCertificateCredential, add the x5c parameter of the JWT token as a JSON array rather than a JSON string. (#6052)

* In ClientCertificateCredential, add the x5c parameter of the JWT token as a JSON array rather than a JSON string. * Update sdk/identity/azure-identity/src/client_certificate_credential.cpp Co-authored-by: Ray Luo <rayluo.mba@gmail.com> --------- Co-authored-by: Ray Luo <rayluo.mba@gmail.com>
2024-10-01 22:01:59 -07:00 · 2024-10-01 22:01:59 -07:00 · 1ce3178c42
commit 1ce3178c42
parent b550ecc46d
3 changed files with 12 additions and 8 deletions
--- a/sdk/identity/azure-identity/CHANGELOG.md
+++ b/sdk/identity/azure-identity/CHANGELOG.md
@ -13,6 +13,7 @@
 ### Other Changes

 - Allow certain response headers to be logged in `AzurePipelinesCredential` for diagnostics and include them in the exception message.
+- In `ClientCertificateCredential`, add the x5c parameter of the JWT token as a JSON array rather than a JSON string.

 ## 1.10.0-beta.1 (2024-09-17)

--- a/sdk/identity/azure-identity/src/client_certificate_credential.cpp
+++ b/sdk/identity/azure-identity/src/client_certificate_credential.cpp
@ -143,12 +143,15 @@ std::string GetJwtToken(
  std::string x5cHeaderParam{};
  if (sendCertificateChain)
  {
-    // Since there is only one base64 encoded cert string, it can be written as a JSON string rather
-    // than a JSON array of strings.
-    x5cHeaderParam = ",\"x5c\":\"";
+    // Even though there is only one base64 encoded cert string, we write the x5c header as a JSON
+    // array of strings, following the spec:
+    // https://datatracker.ietf.org/doc/html/rfc7517#section-4.7
+    // For historical, legacy reasons, the token endpoint happens to work with a single string, but
+    // we shouldn't rely on that behavior.
+    x5cHeaderParam = ",\"x5c\":[\"";
    std::string certContent = FindPemCertificateContent(clientCertificatePath, clientCertificate);
    x5cHeaderParam += certContent;
-    x5cHeaderParam += "\"";
+    x5cHeaderParam += "\"]";
  }

  // Form a JWT token:
--- a/sdk/identity/azure-identity/test/ut/client_certificate_credential_test.cpp
+++ b/sdk/identity/azure-identity/test/ut/client_certificate_credential_test.cpp
@ -133,8 +133,8 @@ public:
    {
      return "{\"x5t\":" + x5t + ",\"kid\":" + kid
          + ",\"alg\":\"RS256\",\"typ\":\"JWT\","
-            "\"x5c\":"
-          + x5c + "}";
+            "\"x5c\":["
+          + x5c + "]}";
    }
    return "{\"x5t\":" + x5t + ",\"kid\":" + kid + ",\"alg\":\"RS256\",\"typ\":\"JWT\"}";
  }
@ -228,8 +228,8 @@ public:
    {
      return "{\"x5t\":" + x5t + ",\"kid\":" + kid
          + ",\"alg\":\"RS256\",\"typ\":\"JWT\","
-            "\"x5c\":"
-          + x5c + "}";
+            "\"x5c\":["
+          + x5c + "]}";
    }
    return "{\"x5t\":" + x5t + ",\"kid\":" + kid + ",\"alg\":\"RS256\",\"typ\":\"JWT\"}";
  }