[Feature Request] Enable extensions in the authentication MSAL flow

[trwalke]

MSAL client type

Confidential

Problem statement

Certain application would like to extend MSAL's authentication flow to suit their needs.

Proposed solution

Enable the extension of MSAL authentication operations with the implementation of IAuthenticaitonOperation

    public interface IAuthenticationOperation
    {

        int TelemetryTokenType { get; }

        /// <summary>
        /// Prefix for the HTTP header that has the token. E.g. "Bearer" or "POP"
        /// </summary>
        string AuthorizationHeaderPrefix { get; }

        /// <summary>
        /// Extra parameters that are added to the request to the /token endpoint. 
        /// </summary>
        /// <returns>Name and values of params</returns>
        IReadOnlyDictionary<string, string> GetTokenRequestParams();

        /// <summary>
        /// Key ID of the public / private key pair used by the encryption algorithm, if any. 
        /// Tokens obtained by authentication schemes that use this are bound to the KeyId, i.e. 
        /// if a different kid is presented, the access token cannot be used.
        /// </summary>
        string KeyId { get; }

        /// <summary>
        /// Creates the access token that goes into an Authorization HTTP header. 
        /// </summary>
        void FormatResult(AuthenticationResult authenticationResult);

        /// <summary>
        /// Expected to match the token_type parameter returned by ESTS. Used to disambiguate
        /// between ATs of different types (e.g. Bearer and PoP) when loading from cache etc.
        /// </summary>
        string AccessTokenType { get; }
    }

The implementation will be injected into MSAL with the following API:

                MsalAuthenticationExtension cdtExtension = new MsalAuthenticationExtension()
                {
                    OnBeforeTokenRequestHandler = async (data) =>
                    {
                      ...
                    },

                    AuthenticationOperation = new MsalTestAuthenticationOperation(),
                    AdditionalCacheParameters = new[] { "additional_param1", "additional_param2" }
                };

                // Act
                var result = await app.AcquireTokenForClient(TestConstants.s_scope.ToArray())
                    .WithTenantId(TestConstants.Utid)
                    .WithAuthenticationExtension(cdtExtension)
                    .ExecuteAsync()
                    .ConfigureAwait(false);

Alternatives

No response

[rayluo]

Do we have or need a documentation for how to use this extension interface?

For example, in the CDT scenario, the following behaviors would be needed from a client-side SDK, how and where are they addressed by this extension interface?

1. Tell the token cache to store a req_ds_cnf (or a hash of it) from the token REQUEST, and later use the same value for a cache look-up.
   Is this achieved by OnBeforeTokenRequestHandler, IAuthenticationOperation.KeyId or GetTokenRequestParams()?
2. Tell the token cache to store an xms_ds_nonce from the token RESPONSE, and later retrieve it when building a CDT
   Is this achieved by AdditionalCacheParameters?
3. Mint a CDT. This is done by IIAuthenticationOperation.FormatResult().

[gladjohn]

@trwalke Ok to close this?

[trwalke]

I think so, but it isnt going to be used by anyone at the moment except MISE and it is still in preview. @bgavrilMS does it make sense to add public or internal docs for this?