Adding AT PoP skeleton (#2511)

* adding "-AT PoP" option to "Set-MgGraphOptions"

---------

Author: FehintolaObafemi

docs/authentication.md

@@ -116,6 +116,8 @@ Before using the provided `-AccessToken` to get Microsoft Graph resources, custo
 
 AT PoP is a security mechanism that binds an access token to a cryptographic key that only the intended recipient has. This prevents unauthorized use of the token by malicious actors. AT PoP enhances data protection, reduces token replay attacks, and enables fine-grained authorization policies.
 
+Note: AT PoP requires WAM to function.
+
 Microsoft Graph PowerShell module supports AT PoP in the following scenario:
 
 - To enable AT PoP on supported devices

src/Authentication/Authentication.Core/Microsoft.Graph.Authentication.Core.csproj

@@ -1,22 +1,22 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
   <Import Project="$(MSBuildThisFileDirectory)..\..\..\Repo.props" />
   <PropertyGroup>
     <LangVersion>9.0</LangVersion>
     <TargetFrameworks>netstandard2.0;net6.0;net472</TargetFrameworks>
     <RootNamespace>Microsoft.Graph.PowerShell.Authentication.Core</RootNamespace>
-    <Version>2.18.0</Version>
+    <Version>2.12.0</Version>
   </PropertyGroup>
   <PropertyGroup>
     <EnableNETAnalyzers>true</EnableNETAnalyzers>
     <EnforceCodeStyleInBuild>true</EnforceCodeStyleInBuild>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="1.11.0" />
-    <PackageReference Include="Azure.Identity.Broker" Version="1.0.0-beta.5" />
-    <PackageReference Include="Azure.Identity.BrokeredAuthentication" Version="1.0.0-beta.3" />
-    <PackageReference Include="Microsoft.Graph.Core" Version="3.0.9" />
-    <PackageReference Include="Microsoft.Identity.Client" Version="4.56.0" />
-    <PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.56.0" />
+    <PackageReference Include="Azure.Identity" Version="1.11.0-beta.1" />
+    <PackageReference Include="Azure.Core" Version="1.38.0" />
+    <PackageReference Include="Azure.Identity.Broker" Version="1.1.0-beta.1" />
+    <PackageReference Include="Microsoft.Graph.Core" Version="3.1.8" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.59.0" />
+    <PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.59.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
   </ItemGroup>
   <Target Name="CopyFiles" AfterTargets="Build">

src/Authentication/Authentication.Core/Utilities/AuthenticationHelpers.cs

@@ -3,6 +3,7 @@
 // ------------------------------------------------------------------------------
 using Azure.Core;
 using Azure.Core.Diagnostics;
+using Azure.Core.Pipeline;
 using Azure.Identity;
 using Azure.Identity.Broker;
 using Microsoft.Graph.Authentication;
@@ -86,6 +87,12 @@ private static bool IsWamSupported()
             return GraphSession.Instance.GraphOption.EnableWAMForMSGraph && SharedUtilities.IsWindowsPlatform();
         }
 
+        //Check to see if ATPoP is Supported
+        private static bool IsATPoPSupported()
+        {
+            return GraphSession.Instance.GraphOption.EnableATPoPForMSGraph;
+        }
+
         private static async Task<TokenCredential> GetClientSecretCredentialAsync(IAuthContext authContext)
         {
             if (authContext is null)
@@ -125,11 +132,45 @@ private static async Task<InteractiveBrowserCredential> GetInteractiveBrowserCre
                 var interactiveBrowserCredential = new InteractiveBrowserCredential(interactiveOptions);
                 if (IsWamSupported())
                 {
-                    authRecord = await Task.Run(() =>
+                    // Adding a scenario to account for Access Token Proof of Possession
+                    if (IsATPoPSupported())
                     {
-                        // Run the thread in MTA.
-                        return interactiveBrowserCredential.Authenticate(new TokenRequestContext(authContext.Scopes), cancellationToken);
-                    });
+                        // Logic to implement ATPoP Authentication
+                        authRecord = await Task.Run(() =>
+                        {
+                            var popTokenAuthenticationPolicy = new PopTokenAuthenticationPolicy(interactiveBrowserCredential as ISupportsProofOfPossession, $"https://graph.microsoft.com/.default");
+
+                            var pipelineOptions = new HttpPipelineOptions(new PopClientOptions()
+                            {
+                                Diagnostics = 
+                                {
+                                    IsLoggingContentEnabled = true,
+                                    LoggedHeaderNames = { "Authorization" }
+                                },
+                            });
+                            pipelineOptions.PerRetryPolicies.Add(popTokenAuthenticationPolicy);
+
+                            var _pipeline = HttpPipelineBuilder.Build(pipelineOptions, new HttpPipelineTransportOptions { ServerCertificateCustomValidationCallback = (_) => true });
+                            using var request = _pipeline.CreateRequest();
+                            request.Method = RequestMethod.Get;
+                            request.Uri.Reset(new Uri("https://20.190.132.47/beta/me"));
+                            var response = _pipeline.SendRequest(request, cancellationToken);
+                            var message = new HttpMessage(request, new ResponseClassifier());
+
+                            // Manually invoke the authentication policy's process method
+                            popTokenAuthenticationPolicy.ProcessAsync(message, ReadOnlyMemory<HttpPipelinePolicy>.Empty);
+                            // Run the thread in MTA.
+                            return interactiveBrowserCredential.Authenticate(new TokenRequestContext(authContext.Scopes), cancellationToken);
+                        });
+                    }
+                    else
+                    {
+                        authRecord = await Task.Run(() =>
+                        {
+                            // Run the thread in MTA.
+                            return interactiveBrowserCredential.Authenticate(new TokenRequestContext(authContext.Scopes), cancellationToken);
+                        });
+                    }
                 }
                 else
                 {
@@ -447,4 +488,7 @@ public static Task DeleteAuthRecordAsync()
             return Task.CompletedTask;
         }
     }
+    internal class PopClientOptions : ClientOptions
+    {
+    }
 }