Add MSI mTLS PoP support: pure MI + FIC-with-MI (impl for devex #3832)#3839
Draft
gladjohn wants to merge 1 commit into
Draft
Add MSI mTLS PoP support: pure MI + FIC-with-MI (impl for devex #3832)#3839gladjohn wants to merge 1 commit into
gladjohn wants to merge 1 commit into
Conversation
Implements devex spec #3832: - TokenAcquisition: chain WithMtlsProofOfPossession().WithAttestationSupport() on the pure-MI builder when ProtocolScheme=MTLS_POP. - ConfidentialClientApplicationBuilderExtension: dispatch FIC-with-MI to a bound-assertion delegate that returns ClientSignedAssertion (carrying both the JWT and the MI-minted binding certificate). All other signed-assertion source types still throw IDW10115 (preserved by regression test). - ManagedIdentityClientAssertion: new internal GetSignedAssertionWithBindingAsync that calls AcquireTokenForManagedIdentity(...).WithMtlsProofOfPossession() .WithAttestationSupport() and returns the bound assertion + cert pair. - Reference Microsoft.Identity.Client.KeyAttestation 4.84.1-preview. - IVT from Certificateless to TokenAcquisition (3rd entry in established file). - 2 new unit tests in WithClientCredentialsTests.cs (930 total pass, 0 fail). - 2 new daemon samples: daemon-app-msi-mtls, daemon-app-fic-mtls. No new public API surface. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements the devex proposal in #3832: mTLS Proof-of-Possession for Managed Identity (pure MSI) and FIC backed by Managed Identity (federated identity credentials).
Triggered by setting AuthorizationHeaderProviderOptions.ProtocolScheme = `MTLS_POP`` on the downstream API options (together with RequestAppToken = true). No new public API.
Devex (the entire dev-facing surface)
json "AzureKeyVault": { "RequestAppToken": true, "ProtocolScheme": "MTLS_POP", "AcquireTokenOptions": { "ManagedIdentity": { "UserAssignedClientId": "..." } } }For FIC-with-MI, add the SignedAssertionFromManagedIdentity credential under
AzureAd.ClientCredentials— the binding cert minted by MI flows through to the outer CCA automatically.What changed (~165 LOC of real code)
TokenAcquisition.csWithMtlsProofOfPossession().WithAttestationSupport()on the pure-MI builder whenIsTokenBindingis setConfidentialClientApplicationBuilderExtension.csClientSignedAssertion(carrying the binding cert). All other signed-assertion source types still throw IDW10115ManagedIdentityClientAssertion.csinternalGetSignedAssertionWithBindingAsync— stateless, no shared mutable flagMicrosoft.Identity.Web.Certificateless.csprojMicrosoft.Identity.Client.KeyAttestation 4.84.1-previewProperties/InternalsVisibleTo.csMicrosoft.Identity.Web.TokenAcquisition(3rd entry, consistent with existing precedent)Why
internal+ IVT (notpublic)The new method's return type is MSAL's
ClientSignedAssertion— exposing it would tie ID Web's public surface to MSAL's API shape forever. Keeping itinternalhonors the devex spec's "no new public API" goal and avoids two methods onManagedIdentityClientAssertionthat consumers might confuse.Why not the previous design (mutable
IsTokenBindingproperty)The prior approach (#3773) added a public
IsTokenBinding { get; set; }flag onManagedIdentityClientAssertionthat callers had to set before invokingGetSignedAssertionAsync. That has three issues:GetSignedAssertionAsyncreturnsstring, so the binding cert was effectively droppedThis PR replaces it with a stateless delegate that returns
ClientSignedAssertion(assertion + cert pair), so the binding cert flows correctly into MSAL.Tests
WithClientCredentialsTests.cs:WithBindingCertificateAsync_FicWithManagedIdentityAssertion_ReturnsBuilder— dispatch succeedsWithBindingCertificateAsync_FicWithFileBasedAssertion_StillThrows— IDW10115 regression guardisTokenBindingcert-based tests unchanged and still passSamples
Two new daemon samples under
tests/DevApps/daemon-app/:daemon-app-msi-mtls— pure MI mTLS PoPdaemon-app-fic-mtls— FIC-with-MI mTLS PoPBuilds
Microsoft.Identity.Web.TokenAcquisition(all 6 TFMs): 0 warn / 0 errLinked
Closes #3832 (devex)