docs(design): devex proposal for mTLS PoP on Managed Identity and FIC#3832
Merged
Conversation
Add specification for mTLS Proof-of-Possession support in Microsoft.Identity.Web for Managed Identity and Federated Identity Credential.
This was referenced Jun 1, 2026
cpp11nullptr
reviewed
Jun 8, 2026
cpp11nullptr
reviewed
Jun 8, 2026
cpp11nullptr
approved these changes
Jun 8, 2026
gladjohn
pushed a commit
that referenced
this pull request
Jun 8, 2026
Implements devex spec #3832: - TokenAcquisition: chain WithMtlsProofOfPossession().WithAttestationSupport() on the pure-MI builder when ProtocolScheme=MTLS_POP. - ConfidentialClientApplicationBuilderExtension: dispatch FIC-with-MI to a bound-assertion delegate that returns ClientSignedAssertion (carrying both the JWT and the MI-minted binding certificate). All other signed-assertion source types still throw IDW10115 (preserved by regression test). - ManagedIdentityClientAssertion: new internal GetSignedAssertionWithBindingAsync that calls AcquireTokenForManagedIdentity(...).WithMtlsProofOfPossession() .WithAttestationSupport() and returns the bound assertion + cert pair. - Reference Microsoft.Identity.Client.KeyAttestation 4.84.1-preview. - IVT from Certificateless to TokenAcquisition (3rd entry in established file). - 2 new unit tests in WithClientCredentialsTests.cs (930 total pass, 0 fail). - 2 new daemon samples: daemon-app-msi-mtls, daemon-app-fic-mtls. No new public API surface. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bgavrilMS
reviewed
Jun 9, 2026
| ```json | ||
| { | ||
| "AzureKeyVault": { | ||
| "BaseUrl": "https://contoso.vault.azure.net/", |
Member
There was a problem hiding this comment.
I assume the AKV url changes to an mtls specific endpoint?
gladjohn
added a commit
that referenced
this pull request
Jun 10, 2026
#3839) * Add MSI mTLS PoP support: pure MI + FIC-with-MI Implements devex spec #3832: - TokenAcquisition: chain WithMtlsProofOfPossession().WithAttestationSupport() on the pure-MI builder when ProtocolScheme=MTLS_POP. - ConfidentialClientApplicationBuilderExtension: dispatch FIC-with-MI to a bound-assertion delegate that returns ClientSignedAssertion (carrying both the JWT and the MI-minted binding certificate). All other signed-assertion source types still throw IDW10115 (preserved by regression test). - ManagedIdentityClientAssertion: new internal GetSignedAssertionWithBindingAsync that calls AcquireTokenForManagedIdentity(...).WithMtlsProofOfPossession() .WithAttestationSupport() and returns the bound assertion + cert pair. - Reference Microsoft.Identity.Client.KeyAttestation 4.84.1-preview. - IVT from Certificateless to TokenAcquisition (3rd entry in established file). - 2 new unit tests in WithClientCredentialsTests.cs (930 total pass, 0 fail). - 2 new daemon samples: daemon-app-msi-mtls, daemon-app-fic-mtls. No new public API surface. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address review feedback: rename effectiveToken; bump KeyAttestation to GA 4.84.2 - Rename CancellationToken variable per cpp11nullptr review feedback to avoid confusion with OAuth/auth tokens (effectiveToken -> effectiveCancellationToken in GetSignedAssertionWithBindingAsync). - Bump Microsoft.Identity.Client.KeyAttestation from 4.84.1-preview to GA 4.84.2 so it aligns with MSAL 4.84.2 already on master. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * address pr comments --------- Co-authored-by: gladjohn <gladjohn@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced Jun 24, 2026
Merged
Closed
Closed
github-actions Bot
pushed a commit
to EelcoLos/nx-tinkering
that referenced
this pull request
Jun 30, 2026
Pinned [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web) at 4.11.0. <details> <summary>Release notes</summary> _Sourced from [Microsoft.Identity.Web's releases](https://github.com/AzureAD/microsoft-identity-web/releases)._ ## 4.11.0 ## What's Changed * Bump vitest from 3.2.4 to 4.1.0 in /tests/DevApps/SidecarAdapter/typescript by @dependabot[bot] in AzureAD/microsoft-identity-web#3836 * Bump MSAL.NET to 4.84.2 and align OWIN binding redirects by @gladjohn with @Copilot in AzureAD/microsoft-identity-web#3844 * docs(design): devex proposal for mTLS PoP on Managed Identity and FIC by @gladjohn in AzureAD/microsoft-identity-web#3832 * Prevent OpenIdConnectMiddlewareDiagnostics from logging sensitive values by @iarekk in AzureAD/microsoft-identity-web#3850 * Add MSI mTLS PoP support: pure MI + FIC-with-MI (impl for devex #3832) by @gladjohn in AzureAD/microsoft-identity-web#3839 * docs(design): devex proposal for Bearer tokens with bound credentials by @gladjohn in AzureAD/microsoft-identity-web#3833 * Add bound-credential support for Bearer tokens (cert + mTLS) by @gladjohn in AzureAD/microsoft-identity-web#3835 * Upgrade IdWeb Sidecar to .NET 10 (LTS) by @soodt in AzureAD/microsoft-identity-web#3841 * MTLS Without Tokens Support - MicrosoftIdentityMessageHandler Support by @tlupes in AzureAD/microsoft-identity-web#3815 * fix: include isTokenBinding in CCA cache key to prevent bearer/PoP collision by @gladjohn in AzureAD/microsoft-identity-web#3867 * Test + doc: x-ms-tokenboundauth header for AKV mTLS PoP via ExtraHeaderParameters by @gladjohn in AzureAD/microsoft-identity-web#3864 * Add mTLS PoP Copilot skill (certificate, MSI, FIC) by @gladjohn in AzureAD/microsoft-identity-web#3872 * Fix CVE-2026-48109: Pin MessagePack to patched version 2.5.301 by @soodt in AzureAD/microsoft-identity-web#3865 * Sidecar: gate agent identity parameters behind AllowOverrides by @iNinja in AzureAD/microsoft-identity-web#3871 * Bump System.Formats.Asn1 base version to 10.0.2 by @iarekk in AzureAD/microsoft-identity-web#3875 * Bump Microsoft.IdentityModel.* from 8.18.0 to 8.19.1 by @iarekk in AzureAD/microsoft-identity-web#3879 * Use IIdentityLogger for MSAL logging in TokenAcquisition and ManagedIdentityClientAssertion (#3820) by @neha-bhargava in AzureAD/microsoft-identity-web#3880 * Update Microsoft.Identity.Abstractions to 12.2.0 and MSAL to 4.85.0 by @neha-bhargava in AzureAD/microsoft-identity-web#3881 * Surface MSAL AuthenticationResultMetadata + exception details on AcquireTokenResult by @neha-bhargava in AzureAD/microsoft-identity-web#3856 * Flow outgoing request to header providers via AcquireTokenOptions by @neha-bhargava in AzureAD/microsoft-identity-web#3876 * Throw on Authority vs Instance/TenantId conflict (OIDC + MSAL parity) by @iarekk in AzureAD/microsoft-identity-web#3873 * Delete .github/workflows/evergreen.yml by @bgavrilMS in AzureAD/microsoft-identity-web#3803 * Add comprehensive authority configuration and precedence documentation by @jmprieur with @Copilot in AzureAD/microsoft-identity-web#3617 * Bump js-yaml from 4.1.1 to 4.2.0 in /tests/DevApps/SidecarAdapter/typescript by @dependabot[bot] in AzureAD/microsoft-identity-web#3862 * Move authority docs into docs/authority-configuration/ subfolder by @iarekk in AzureAD/microsoft-identity-web#3885 * Revert "Throw on Authority vs Instance/TenantId conflict (#3873)" by @iarekk in AzureAD/microsoft-identity-web#3888 * Update Microsoft.Identity.Client to 4.85.1 by @neha-bhargava in AzureAD/microsoft-identity-web#3889 * Enable E2E test coverage on internal Azure DevOps pipelines by @gladjohn in AzureAD/microsoft-identity-web#3883 * Bump esbuild and tsx in /tests/DevApps/SidecarAdapter/typescript by @dependabot[bot] in AzureAD/microsoft-identity-web#3859 * Skip AcquireTokenWithMtlsPop test: AAD westus3 test slice returns Bearer by @neha-bhargava in AzureAD/microsoft-identity-web#3892 ## New Contributors * @iarekk made their first contribution in AzureAD/microsoft-identity-web#3850 * @soodt made their first contribution in AzureAD/microsoft-identity-web#3841 **Full Changelog**: AzureAD/microsoft-identity-web@4.10.0...4.11.0 Commits viewable in [compare view](AzureAD/microsoft-identity-web@4.10.0...4.11.0). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This was referenced Jun 30, 2026
Closed
Closed
Closed
Closed
Open
Open
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a developer-experience design document for enabling mTLS Proof-of-Possession (mTLS PoP) on the two managed-identity credential sources that currently don't support it:
AcquireTokenOptions.ManagedIdentity(pure Managed Identity)SignedAssertionFromManagedIdentity(Federated Identity Credential signed by a Managed Identity)The doc lives at
docs/design/msi_fic_mtls_pop_devex.md, alongside the existingmanaged_identity_capabilities_devex.md.Why
Microsoft.Identity.Webalready supports mTLS PoP for confidential client apps that authenticate with a certificate (seetoken-binding.md). The opt-in is one line of configuration:The same opt-in does not work today for the two managed-identity credential sources:
SignedAssertionFromManagedIdentity(FIC)AcquireTokenOptions.ManagedIdentity(MSI)This is the gap the proposal closes.
What's in scope
"ProtocolScheme": "MTLS_POP"knob enables mTLS PoP for all three credential sources.daemon-app-msi-mtlsanddaemon-app-fic-mtls, modeled on the existingdaemon-app-msi.token-binding.md(add MI + FIC subsections) andcertificateless.md(add a short cross-ref).What's out of scope
token-binding.md.Prerequisites for the implementation PR
Microsoft.Identity.Webtakes a dependency onMicrosoft.Identity.Client.KeyAttestation(GA in the next MSAL release).