[cifs-protocol] [EXTERNAL] Re: [MS-OAPXBC] Exchange PRT for Access Token, HS256 or RS256? - TrackingID#2312150040011919

[Kristian Smith]

Hi David,

Thanks for your patience on this issue. The engineering group and I have come to the same conclusion as you. I've submitted a documentation change request to add specificity to which key should be used in each scenario.

Something like this:

 Change 3.2.5.1.2.1 from: "The JWTs are signed either with a device key or session keys."
to: "The JWT's are signed with a device key"

AND

Change 3.2.5.1.3.1 from: "The JWTs are signed either with a device key or session keys."
to: "The JWT's are signed with a session key"

I will be out of the office until January 23rd, so if you have any pressing follow-up concerns, please add the dochelp alias and one of my teammates will be happy to assist. Otherwise I'll see your email when I return.

Thanks for helping us build better documentation!



Regards,

Kristian Smith

Support Escalation Engineer | Windows Protocols | Microsoft® Corporation

Office phone: +1 425-421-4442

Email: kristian.smith at microsoft.com<mailto:kristian.smith at microsoft.com>

Working hours: 8:00 am - 5:00 pm PST, Monday – Fridaydevbu at microsoft.com<mailto:devbu at microsoft.com>.  One of my colleagues will gladly continue working on this issue.

________________________________
From: David Mulder <dmulder at samba.org>
Sent: Tuesday, December 19, 2023 9:44 AM
To: Kristian Smith <Kristian.Smith at microsoft.com>
Cc: cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
Subject: [EXTERNAL] Re: [MS-OAPXBC] Exchange PRT for Access Token, HS256 or RS256? - TrackingID#2312150040011919

You don't often get email from dmulder at samba.org. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>


On 12/19/23 10:39 AM, Kristian Smith wrote:
[Obaid to Bcc]

Hi David,

I'll be looking into this Oauth question you've posed. Once I've completed my research, I'll reach out to you with my findings.

FYI, I think the correct answer is that these pages need to be updated to say to sign with the device key for RS256, or sign with the session key for HS256. They should not say that you can sign with either. When I send an Exchange PRT request signed with the device key and RS256, the request is ignored.

--
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com<mailto:dmulder at suse.com>
http://www.suse.com<http://www.suse.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20240106/9f15a15d/attachment.htm>