-
Notifications
You must be signed in to change notification settings - Fork 268
docs(design): devex proposal for mTLS PoP on Managed Identity and FIC #3832
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,270 @@ | ||
| # Microsoft.Identity.Web – mTLS Proof-of-Possession for Managed Identity and FIC | ||
|
|
||
| ## Why mTLS Proof-of-Possession? | ||
|
|
||
| mTLS Proof-of-Possession (mTLS PoP) is a sender-constrained token format. The | ||
| access token is bound to a client certificate and the call to the downstream | ||
| API is made over mTLS using that certificate. A leaked or replayed bearer | ||
| token is useless to an attacker who does not also hold the private key. | ||
|
|
||
| Microsoft.Identity.Web already supports mTLS PoP for confidential client | ||
| applications that authenticate with a certificate | ||
| ([`docs/calling-downstream-apis/token-binding.md`](../calling-downstream-apis/token-binding.md)). | ||
| The same `"ProtocolScheme": "MTLS_POP"` opt-in is silently ignored by two | ||
| other credential sources that app developers rely on heavily: | ||
|
|
||
| * `AcquireTokenOptions.ManagedIdentity` (pure Managed Identity) | ||
| * `SignedAssertionFromManagedIdentity` (Federated Identity Credential signed | ||
| by a Managed Identity) | ||
|
|
||
| This spec closes that gap. | ||
|
|
||
| ## What this spec adds to **Microsoft.Identity.Web** | ||
|
|
||
| * **Declarative opt-in** – one configuration knob | ||
| (`"ProtocolScheme": "MTLS_POP"` on the downstream API), identical to the | ||
| existing certificate-based flow. | ||
| * **Two new credential paths** – the same opt-in now works with Managed | ||
| Identity and FIC-with-MI. | ||
| * **Transparent binding** – IdWeb forwards the request to MSAL, MSAL | ||
| provisions the binding certificate via the V2 Managed Identity credential | ||
| API (Key Guard + attestation), and the downstream HTTP call uses that | ||
| certificate over mTLS. | ||
|
|
||
| The goal is **zero-touch** for developers who already use Managed Identity or | ||
| FIC for bearer tokens. | ||
|
|
||
| ## Support matrix | ||
|
|
||
| | Credential source | Bearer | mTLS PoP today | mTLS PoP after this change | | ||
| |---|---|---|---| | ||
| | Certificate (Key Vault, Path, Store, Base64) | ✅ | ✅ | ✅ | | ||
| | Client secret | ✅ | n/a | n/a | | ||
| | `SignedAssertionFromManagedIdentity` (FIC) | ✅ | ❌ | ✅ | | ||
| | `AcquireTokenOptions.ManagedIdentity` (MSI) | ✅ | ❌ | ✅ | | ||
|
|
||
| ## How developers wire things up today (Bearer) | ||
|
|
||
| ### Managed Identity | ||
|
|
||
| ```json | ||
| { | ||
| "AzureKeyVault": { | ||
| "BaseUrl": "https://contoso.vault.azure.net/", | ||
| "RelativePath": "secrets/mysecret?api-version=7.4", | ||
| "Scopes": [ "https://vault.azure.net/.default" ], | ||
| "RequestAppToken": true, | ||
| "AcquireTokenOptions": { | ||
| "ManagedIdentity": { | ||
| "UserAssignedClientId": "<UAMI-client-id>" | ||
| } | ||
| } | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| Sample: [`tests/DevApps/daemon-app/daemon-app-msi`](../../tests/DevApps/daemon-app/daemon-app-msi). | ||
|
|
||
| ### Federated Identity Credential with Managed Identity | ||
|
|
||
| ```json | ||
| { | ||
| "AzureAd": { | ||
| "Instance": "https://login.microsoftonline.com/", | ||
| "TenantId": "<tenant>", | ||
| "ClientId": "<app-registration-client-id>", | ||
| "ClientCredentials": [ | ||
| { | ||
| "SourceType": "SignedAssertionFromManagedIdentity", | ||
| "ManagedIdentityClientId": "<UAMI-client-id>" | ||
| } | ||
| ] | ||
| }, | ||
| "AzureKeyVault": { | ||
| "BaseUrl": "https://contoso.vault.azure.net/", | ||
| "Scopes": [ "https://vault.azure.net/.default" ], | ||
| "RequestAppToken": true | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| Docs: [`certificateless.md`](../authentication/credentials/certificateless.md). | ||
|
|
||
| ## What is missing today | ||
|
|
||
| ### Managed Identity + `"ProtocolScheme": "MTLS_POP"` | ||
|
|
||
| The Managed Identity code path in `TokenAcquisition` does not check the | ||
| `IsTokenBinding` flag that the downstream-API binder sets when | ||
| `ProtocolScheme` is `"MTLS_POP"`. A plain bearer token is returned with no | ||
| error. If the downstream API enforces mTLS PoP, the call fails downstream | ||
| with nothing in the IdWeb logs to explain why. | ||
|
|
||
| ### FIC + `"ProtocolScheme": "MTLS_POP"` | ||
|
|
||
| `ConfidentialClientApplicationBuilderExtension.WithClientCredentialsAsync` | ||
| requires a `Certificate` on the credential when `isTokenBinding` is `true`. A | ||
| signed assertion has no certificate, so the call throws: | ||
|
|
||
| ``` | ||
| InvalidOperationException: A certificate, which is required for token binding, | ||
| is missing in loaded credentials. | ||
| ``` | ||
|
|
||
| The error is accurate but the underlying cause is "this combination was never | ||
| implemented." | ||
|
|
||
| ## Design Goals | ||
|
|
||
| | # | Goal | Success Metric | | ||
| |-----|-----------------------------------------------------------------------|----------------------------------------------------------------------| | ||
| | G1 | Honor `"ProtocolScheme": "MTLS_POP"` on the Managed Identity path. | MSI request issues an mTLS-bound token; downstream call is over mTLS. | | ||
| | G2 | Honor `"ProtocolScheme": "MTLS_POP"` on the FIC-with-MI path. | FIC request issues an mTLS-bound token; downstream call is over mTLS. | | ||
| | G3 | Configuration parity with the certificate flow. | One knob (`ProtocolScheme`) for all three credential sources. | | ||
| | G4 | No new typed public API on `DownstreamApiOptions`. | Opt-in stays declarative; no C# wiring required by app developers. | | ||
|
|
||
| ## Public API Impact | ||
|
gladjohn marked this conversation as resolved.
|
||
|
|
||
| No changes to the public API. The behavior change is entirely behind the | ||
| existing `"ProtocolScheme": "MTLS_POP"` configuration value. | ||
|
|
||
| ## Configuration Example | ||
|
|
||
| ### Managed Identity + mTLS PoP | ||
|
|
||
| ```json | ||
| { | ||
| "AzureKeyVault": { | ||
| "BaseUrl": "https://contoso.vault.azure.net/", | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I assume the AKV url changes to an mtls specific endpoint? |
||
| "Scopes": [ "https://vault.azure.net/.default" ], | ||
| "RequestAppToken": true, | ||
| "ProtocolScheme": "MTLS_POP", | ||
| "AcquireTokenOptions": { | ||
| "ManagedIdentity": { | ||
| "UserAssignedClientId": "<UAMI-client-id>" | ||
| } | ||
| } | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| Omit `UserAssignedClientId` for system-assigned Managed Identity. | ||
|
|
||
| ### FIC + mTLS PoP | ||
|
|
||
| ```json | ||
| { | ||
| "AzureAd": { | ||
| "TenantId": "<tenant>", | ||
| "ClientId": "<app-registration-client-id>", | ||
| "ClientCredentials": [ | ||
| { | ||
| "SourceType": "SignedAssertionFromManagedIdentity", | ||
| "ManagedIdentityClientId": "<UAMI-client-id>" | ||
| } | ||
| ] | ||
| }, | ||
| "AzureKeyVault": { | ||
| "BaseUrl": "https://contoso.vault.azure.net/", | ||
| "Scopes": [ "https://vault.azure.net/.default" ], | ||
| "RequestAppToken": true, | ||
| "ProtocolScheme": "MTLS_POP" | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| > **Note** : The same configuration block works in *appsettings.json* or can | ||
| > be supplied programmatically. | ||
|
|
||
| ## Code Snippets | ||
|
|
||
| ### Registering & Calling a Downstream API | ||
|
|
||
| ```csharp | ||
| // 1 – set up the TokenAcquirerFactory | ||
| var factory = TokenAcquirerFactory.GetDefaultInstance(); | ||
|
|
||
| // 2 – register the downstream API using section "AzureKeyVault" | ||
| factory.Services.AddDownstreamApi("AzureKeyVault", | ||
| factory.Configuration.GetSection("AzureKeyVault")); | ||
|
|
||
| IServiceProvider sp = factory.Build(); | ||
| IDownstreamApi api = sp.GetRequiredService<IDownstreamApi>(); | ||
|
|
||
| // 3 – call the API (Id.Web handles mTLS PoP automatically) | ||
| HttpResponseMessage resp = await api.CallApiForAppAsync("AzureKeyVault"); | ||
| ``` | ||
|
|
||
| ### Using **IAuthorizationHeaderProvider** (advanced) | ||
|
|
||
| `IAuthorizationHeaderProvider` works with Managed Identity and FIC mTLS PoP | ||
| tokens the same way it works with the certificate flow: | ||
|
|
||
| ```csharp | ||
| var headerProvider = sp.GetRequiredService<IAuthorizationHeaderProvider>(); | ||
| string header = await headerProvider.CreateAuthorizationHeaderForAppAsync( | ||
| scope: "https://vault.azure.net/.default", | ||
| options: new AuthorizationHeaderProviderOptions | ||
| { | ||
| ProtocolScheme = "MTLS_POP", | ||
| AcquireTokenOptions = new AcquireTokenOptions | ||
| { | ||
| ManagedIdentity = new ManagedIdentityOptions() | ||
| } | ||
| }); | ||
| ``` | ||
|
|
||
| ## How it works | ||
|
|
||
| For both new paths, `TokenAcquisition` reads the `IsTokenBinding` flag the | ||
| downstream-API binder set when `ProtocolScheme` is `"MTLS_POP"` and forwards | ||
| it to MSAL: | ||
|
|
||
| 1. **Managed Identity path** – the MSAL `ManagedIdentityApplication` builder | ||
| is configured with `WithMtlsProofOfPossession()`. MSAL calls the V2 | ||
| Managed Identity credential endpoint, which returns an mTLS-bound token | ||
| plus the binding certificate. | ||
| 2. **FIC-with-MI path** – the inner Managed Identity client used to sign the | ||
| FIC assertion produces the binding certificate; the outer | ||
| `ConfidentialClientApplication` request is bound to that certificate. | ||
|
|
||
| In both cases, `IDownstreamApi` issues the HTTP call over mTLS using the | ||
| binding certificate. App developers see exactly the same `IDownstreamApi` / | ||
| `IAuthorizationHeaderProvider` surface they use today. | ||
|
|
||
| ## Samples | ||
|
|
||
| Two samples will be added, modeled on the existing `daemon-app-msi`: | ||
|
|
||
| | Folder | Demonstrates | | ||
| |-----------------------------------------------------|------------------------------------| | ||
| | `tests/DevApps/daemon-app/daemon-app-msi-mtls` | Managed Identity + mTLS PoP | | ||
| | `tests/DevApps/daemon-app/daemon-app-fic-mtls` | FIC-with-MI + mTLS PoP | | ||
|
|
||
| Each sample is one `Program.cs` (boilerplate `TokenAcquirerFactory` + | ||
| `IDownstreamApi.CallApiForAppAsync`) plus one `appsettings.json` that matches | ||
| the configuration example above. | ||
|
|
||
| ## Documentation updates | ||
|
|
||
| | File | Update | | ||
| |----------------------------------------------------------------|---------------------------------------------------------------------------------------------------------| | ||
| | `docs/calling-downstream-apis/token-binding.md` | Add MI and FIC subsections after the certificate config. Same `"ProtocolScheme": "MTLS_POP"` opt-in. | | ||
| | `docs/authentication/credentials/certificateless.md` | Add a one-paragraph "mTLS Proof-of-Possession" note linking back to `token-binding.md`. | | ||
| | `tests/DevApps/daemon-app/daemon-app-msi/readme.md` | Add a one-line note pointing at `daemon-app-msi-mtls`. | | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| * `Microsoft.Identity.Web` takes a dependency on | ||
| `Microsoft.Identity.Client.KeyAttestation` (GA in the next MSAL release). | ||
| * The downstream resource (Microsoft Graph, Azure Key Vault, a custom API) | ||
| must accept mTLS PoP tokens. This is configured per-resource in ESTS. | ||
| * The application's tenant and client must be on the ESTS allow-list for | ||
| mTLS-bound token issuance. | ||
|
|
||
| ### reference | ||
|
|
||
| * [Token Binding with mTLS Proof-of-Possession](../calling-downstream-apis/token-binding.md) | ||
| – existing certificate-based flow. | ||
| * [Certificateless Authentication](../authentication/credentials/certificateless.md) | ||
| – existing FIC + Managed Identity (bearer) flow. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.