[cifs-protocol] [MS-OAPXBC] Exchange PRT for Access Token, HS256 or RS256? - TrackingID#2312150040011919

Kristian Smith Kristian.Smith at microsoft.com
Tue Dec 19 17:39:22 UTC 2023 

[Obaid to Bcc]

Hi David,

I'll be looking into this Oauth question you've posed. Once I've completed my research, I'll reach out to you with my findings.


Regards,

Kristian Smith

Support Escalation Engineer | Azure DevOps, Windows Protocols | Microsoft® Corporation

Office phone: +1 425-421-4442

Email: kristian.smith at microsoft.com<mailto:kristian.smith at microsoft.com>

Working hours: 8:00 am - 5:00 pm PST, Monday – Friday

Team Manager: Gary Ranne garyra at microsoft.com<mailto:garyra at microsoft.com>

ServiceHub:  https://serviceshub.microsoft.com/support/contactsupport_

In case you don't hear from me, please call your regional number here:  https://support.microsoft.com/help/13948/global-customer-service-phone-numbers.

If you need assistance outside my normal working hours, please reach out to devbu at microsoft.com<mailto:devbu at microsoft.com>.  One of my colleagues will gladly continue working on this issue.devbu at microsoft.com<mailto:devbu at microsoft.com>.  One of my colleagues will gladly continue working on this issue.

________________________________
From: Obaid Farooqi <obaidf at microsoft.com>
Sent: Friday, December 15, 2023 3:00 PM
To: David Mulder <dmulder at samba.org>
Cc: cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
Subject: [MS-OAPXBC] Exchange PRT for Access Token, HS256 or RS256? - TrackingID#2312150040011919

Hi David:
Thanks for contacting Microsoft. I have created a case to track this issue. A member of the open specifications team will be in touch soon.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

-----Original Message-----
From: David Mulder <dmulder at samba.org>
Sent: Friday, December 15, 2023 2:52 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] [MS-OAPXBC] Exchange PRT for Access Token, HS256 or RS256?

In section 3.2.5.1.3.1 the protocol initially says that "JWTs are signed either with a device key or session keys".

Then for the jwt header alg field it says "HS256" is supported. The session key (session_key_jwe) obtained during the request for PRT would be the symmetric key for the HS256 algorithm. How do we sign instead with the device key? The private key for the device isn't symmetric. Do we instead sign it with RS256? The spec doesn't explain.

Likewise, in section 3.2.5.1.2.1, the PRT request says we can use either "a device key or session keys". The PRT request then explicitly states that we will use the "RS256" alg. RS256 isn't symmetric, so how would we then use the symmetric session key for signing?

--
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.suse.com%2F&data=05%7C02%7CKristian.Smith%40microsoft.com%7C869f960ed47343bf791b08dbfdc1a9f3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638382780449701376%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5GQ74FaS2R3Kkph1y3JYg3tJEPA6ThGxz1%2FeFVzflmQ%3D&reserved=0<http://www.suse.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20231219/bb3359fc/attachment.htm>

More information about the cifs-protocol mailing list