Skip to content

docs(design): devex proposal for mTLS PoP on Managed Identity and FIC#3832

Merged
gladjohn merged 2 commits into
masterfrom
gladjohn-patch-3
Jun 8, 2026
Merged

docs(design): devex proposal for mTLS PoP on Managed Identity and FIC#3832
gladjohn merged 2 commits into
masterfrom
gladjohn-patch-3

Conversation

@gladjohn

@gladjohn gladjohn commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

What

Adds a developer-experience design document for enabling mTLS Proof-of-Possession (mTLS PoP) on the two managed-identity credential sources that currently don't support it:

  • AcquireTokenOptions.ManagedIdentity (pure Managed Identity)
  • SignedAssertionFromManagedIdentity (Federated Identity Credential signed by a Managed Identity)

The doc lives at docs/design/msi_fic_mtls_pop_devex.md, alongside the existing managed_identity_capabilities_devex.md.

Why

Microsoft.Identity.Web already supports mTLS PoP for confidential client apps that authenticate with a certificate (see token-binding.md). The opt-in is one line of configuration:

"ProtocolScheme": "MTLS_POP"

The same opt-in does not work today for the two managed-identity credential sources:

Credential source Bearer mTLS PoP today
Certificate
SignedAssertionFromManagedIdentity (FIC) ❌ doesn't exist
AcquireTokenOptions.ManagedIdentity (MSI) ❌ doesn't exist

This is the gap the proposal closes.

What's in scope

  • Configuration parity — the same "ProtocolScheme": "MTLS_POP" knob enables mTLS PoP for all three credential sources.
  • No new public API — opt-in stays declarative; app developers learn nothing new.
  • Two new dev-app samplesdaemon-app-msi-mtls and daemon-app-fic-mtls, modeled on the existing daemon-app-msi.
  • Two doc updatestoken-binding.md (add MI + FIC subsections) and certificateless.md (add a short cross-ref).

What's out of scope

  • Code changes — this PR is docs-only. Implementation lands in a follow-up PR.
  • New mTLS PoP knobs beyond what's already in token-binding.md.

Prerequisites for the implementation PR

  • Microsoft.Identity.Web takes a dependency on Microsoft.Identity.Client.KeyAttestation (GA in the next MSAL release).
  • The downstream resource must accept mTLS PoP tokens.
  • The application's tenant and client must be on the ESTS allow-list for mTLS-bound token issuance.

Add specification for mTLS Proof-of-Possession support in Microsoft.Identity.Web for Managed Identity and Federated Identity Credential.
Comment thread docs/design/msi-fic-pure-mtls-pop-devex.md
Comment thread docs/design/msi-fic-pure-mtls-pop-devex.md
gladjohn pushed a commit that referenced this pull request Jun 8, 2026
Implements devex spec #3832:

- TokenAcquisition: chain WithMtlsProofOfPossession().WithAttestationSupport()
  on the pure-MI builder when ProtocolScheme=MTLS_POP.
- ConfidentialClientApplicationBuilderExtension: dispatch FIC-with-MI to a
  bound-assertion delegate that returns ClientSignedAssertion (carrying both
  the JWT and the MI-minted binding certificate). All other signed-assertion
  source types still throw IDW10115 (preserved by regression test).
- ManagedIdentityClientAssertion: new internal GetSignedAssertionWithBindingAsync
  that calls AcquireTokenForManagedIdentity(...).WithMtlsProofOfPossession()
  .WithAttestationSupport() and returns the bound assertion + cert pair.
- Reference Microsoft.Identity.Client.KeyAttestation 4.84.1-preview.
- IVT from Certificateless to TokenAcquisition (3rd entry in established file).
- 2 new unit tests in WithClientCredentialsTests.cs (930 total pass, 0 fail).
- 2 new daemon samples: daemon-app-msi-mtls, daemon-app-fic-mtls.

No new public API surface.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@gladjohn gladjohn merged commit b860e97 into master Jun 8, 2026
4 checks passed
@gladjohn gladjohn deleted the gladjohn-patch-3 branch June 8, 2026 16:54
```json
{
"AzureKeyVault": {
"BaseUrl": "https://contoso.vault.azure.net/",

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume the AKV url changes to an mtls specific endpoint?

@bgavrilMS bgavrilMS left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

gladjohn added a commit that referenced this pull request Jun 10, 2026
#3839)

* Add MSI mTLS PoP support: pure MI + FIC-with-MI

Implements devex spec #3832:

- TokenAcquisition: chain WithMtlsProofOfPossession().WithAttestationSupport()
  on the pure-MI builder when ProtocolScheme=MTLS_POP.
- ConfidentialClientApplicationBuilderExtension: dispatch FIC-with-MI to a
  bound-assertion delegate that returns ClientSignedAssertion (carrying both
  the JWT and the MI-minted binding certificate). All other signed-assertion
  source types still throw IDW10115 (preserved by regression test).
- ManagedIdentityClientAssertion: new internal GetSignedAssertionWithBindingAsync
  that calls AcquireTokenForManagedIdentity(...).WithMtlsProofOfPossession()
  .WithAttestationSupport() and returns the bound assertion + cert pair.
- Reference Microsoft.Identity.Client.KeyAttestation 4.84.1-preview.
- IVT from Certificateless to TokenAcquisition (3rd entry in established file).
- 2 new unit tests in WithClientCredentialsTests.cs (930 total pass, 0 fail).
- 2 new daemon samples: daemon-app-msi-mtls, daemon-app-fic-mtls.

No new public API surface.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address review feedback: rename effectiveToken; bump KeyAttestation to GA 4.84.2

- Rename CancellationToken variable per cpp11nullptr review feedback to
  avoid confusion with OAuth/auth tokens (effectiveToken ->
  effectiveCancellationToken in GetSignedAssertionWithBindingAsync).
- Bump Microsoft.Identity.Client.KeyAttestation from 4.84.1-preview to
  GA 4.84.2 so it aligns with MSAL 4.84.2 already on master.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* address pr comments

---------

Co-authored-by: gladjohn <gladjohn@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions Bot pushed a commit to EelcoLos/nx-tinkering that referenced this pull request Jun 30, 2026
Pinned
[Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web)
at 4.11.0.

<details>
<summary>Release notes</summary>

_Sourced from [Microsoft.Identity.Web's
releases](https://github.com/AzureAD/microsoft-identity-web/releases)._

## 4.11.0

## What's Changed
* Bump vitest from 3.2.4 to 4.1.0 in
/tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in
AzureAD/microsoft-identity-web#3836
* Bump MSAL.NET to 4.84.2 and align OWIN binding redirects by @​gladjohn
with @​Copilot in
AzureAD/microsoft-identity-web#3844
* docs(design): devex proposal for mTLS PoP on Managed Identity and FIC
by @​gladjohn in
AzureAD/microsoft-identity-web#3832
* Prevent OpenIdConnectMiddlewareDiagnostics from logging sensitive
values by @​iarekk in
AzureAD/microsoft-identity-web#3850
* Add MSI mTLS PoP support: pure MI + FIC-with-MI (impl for devex
#​3832) by @​gladjohn in
AzureAD/microsoft-identity-web#3839
* docs(design): devex proposal for Bearer tokens with bound credentials
by @​gladjohn in
AzureAD/microsoft-identity-web#3833
* Add bound-credential support for Bearer tokens (cert + mTLS) by
@​gladjohn in
AzureAD/microsoft-identity-web#3835
* Upgrade IdWeb Sidecar to .NET 10 (LTS) by @​soodt in
AzureAD/microsoft-identity-web#3841
* MTLS Without Tokens Support - MicrosoftIdentityMessageHandler Support
by @​tlupes in
AzureAD/microsoft-identity-web#3815
* fix: include isTokenBinding in CCA cache key to prevent bearer/PoP
collision by @​gladjohn in
AzureAD/microsoft-identity-web#3867
* Test + doc: x-ms-tokenboundauth header for AKV mTLS PoP via
ExtraHeaderParameters by @​gladjohn in
AzureAD/microsoft-identity-web#3864
* Add mTLS PoP Copilot skill (certificate, MSI, FIC) by @​gladjohn in
AzureAD/microsoft-identity-web#3872
* Fix CVE-2026-48109: Pin MessagePack to patched version 2.5.301 by
@​soodt in AzureAD/microsoft-identity-web#3865
* Sidecar: gate agent identity parameters behind AllowOverrides by
@​iNinja in AzureAD/microsoft-identity-web#3871
* Bump System.Formats.Asn1 base version to 10.0.2 by @​iarekk in
AzureAD/microsoft-identity-web#3875
* Bump Microsoft.IdentityModel.* from 8.18.0 to 8.19.1 by @​iarekk in
AzureAD/microsoft-identity-web#3879
* Use IIdentityLogger for MSAL logging in TokenAcquisition and
ManagedIdentityClientAssertion (#​3820) by @​neha-bhargava in
AzureAD/microsoft-identity-web#3880
* Update Microsoft.Identity.Abstractions to 12.2.0 and MSAL to 4.85.0 by
@​neha-bhargava in
AzureAD/microsoft-identity-web#3881
* Surface MSAL AuthenticationResultMetadata + exception details on
AcquireTokenResult by @​neha-bhargava in
AzureAD/microsoft-identity-web#3856
* Flow outgoing request to header providers via AcquireTokenOptions by
@​neha-bhargava in
AzureAD/microsoft-identity-web#3876
* Throw on Authority vs Instance/TenantId conflict (OIDC + MSAL parity)
by @​iarekk in
AzureAD/microsoft-identity-web#3873
* Delete .github/workflows/evergreen.yml by @​bgavrilMS in
AzureAD/microsoft-identity-web#3803
* Add comprehensive authority configuration and precedence documentation
by @​jmprieur with @​Copilot in
AzureAD/microsoft-identity-web#3617
* Bump js-yaml from 4.1.1 to 4.2.0 in
/tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in
AzureAD/microsoft-identity-web#3862
* Move authority docs into docs/authority-configuration/ subfolder by
@​iarekk in AzureAD/microsoft-identity-web#3885
* Revert "Throw on Authority vs Instance/TenantId conflict (#​3873)" by
@​iarekk in AzureAD/microsoft-identity-web#3888
* Update Microsoft.Identity.Client to 4.85.1 by @​neha-bhargava in
AzureAD/microsoft-identity-web#3889
* Enable E2E test coverage on internal Azure DevOps pipelines by
@​gladjohn in
AzureAD/microsoft-identity-web#3883
* Bump esbuild and tsx in /tests/DevApps/SidecarAdapter/typescript by
@​dependabot[bot] in
AzureAD/microsoft-identity-web#3859
* Skip AcquireTokenWithMtlsPop test: AAD westus3 test slice returns
Bearer by @​neha-bhargava in
AzureAD/microsoft-identity-web#3892

## New Contributors
* @​iarekk made their first contribution in
AzureAD/microsoft-identity-web#3850
* @​soodt made their first contribution in
AzureAD/microsoft-identity-web#3841

**Full Changelog**:
AzureAD/microsoft-identity-web@4.10.0...4.11.0

Commits viewable in [compare
view](AzureAD/microsoft-identity-web@4.10.0...4.11.0).
</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This was referenced Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants