3.1.5.1.4.3 Processing Details
When the client obtains the OpenID Provider Metadata from the server ([MS-OIDCE] section 2.2.3.2), it checks for the capabilities field. If the field exists in the metadata and includes the value "winhello_cert", the client can proceed with this request for a user authentication certificate.
The client first requests a primary refresh token from the server as defined in sections 3.1.5.1.2 and 3.2.5.1.2. It then uses the Primary Refresh Token ADM element (section 3.1.1) to populate the refresh_token field in this request for the user authentication certificate. If the capabilities field of the OpenID Provider Metadata ([MS-OIDCE] section 2.2.3.2) from the server includes the value "kdf_ver2", the client can use KDFv2 version for deriving the Session Key. If the client chooses to use KDFv2, the client MUST use SHA256(ctx || assertion payload) instead of ctx as the context for deriving the signing key. The client MUST also add the JWT header field "kdf_ver" with the value set to 2 to communicate that KDFv2 was used for creating the derived signing key.
The client constructs a base64-encoded PKCS #10 certificate request ([MS-WCCE] section 2.2.2.6.1) using the User Authentication Key ADM element (section 3.1.1), and uses it to populate the csr field in this request for the user authentication certificate.
In some cases, the client will have previously registered the public portion of the key that is stored in the User Authentication Key ADM element (section 3.1.1) via the Key request defined in [MS-KPP] section 3.1.5.1. In those cases, the client might have received a value in the pctx field of that response ([MS-KPP] section 3.1.5.1.1.2) and stored it in the Data Store Information ADM element of [MS-KPP] section 3.2.1. If this is true, then the client SHOULD populate the pctx field of this request with that value.
The client derives a signing key from the Session Key ADM element (section 3.1.1), the constant label "AzureAD-SecureConversation", and the ctx value provided in the JWT header of the request by using the process described in [SP800-108]. The client uses this signing key to sign the request.
If the capabilities field of the OpenID Provider Metadata from the server includes the value "winhello_cert_kr", the client can include the krctx parameter, set to a value that contains a JWT. The JWT is structured as defined in section 2.2.2.1 and contains the data defined in section 3.2.5.1.4.3. The "winhello_cert_kr" value is supported on the AD FS server only if its AD FS behavior level is AD_FS_BEHAVIOR_LEVEL_3 or higher. See section 2.2.2.1 for additional support information.