Skip to content

Skip AcquireTokenWithMtlsPop test: AAD westus3 test slice returns Bearer#3892

Merged
neha-bhargava merged 1 commit into
masterfrom
nebharg/skip-mtls-pop-westus3-test-slice
Jun 23, 2026
Merged

Skip AcquireTokenWithMtlsPop test: AAD westus3 test slice returns Bearer#3892
neha-bhargava merged 1 commit into
masterfrom
nebharg/skip-mtls-pop-westus3-test-slice

Conversation

@neha-bhargava

Copy link
Copy Markdown
Contributor

Problem

The E2E test AcquireTokenWithMtlsPop_WithBindingCertificate_ReturnsMtlsPopToken (tests/E2E Tests/TokenAcquirerTests/TokenAcquirer.cs) is failing on the PR pipeline with:

MsalClientException: You asked for token type mtls_pop, but receive Bearer.

Investigation

Reproduced and root-caused while debugging the same failure in MSAL.NET (AzureAD/microsoft-authentication-library-for-dotnet#6084):

Endpoint Result
westus3.mtlsauth.microsoft.com (test slice — used by this test) ❌ AAD returns Bearer
mtlsauth.microsoft.com (global — used by a sibling MSAL.NET test) ✅ Passes

MSAL is correctly routing to the regional mtlsauth endpoint, sending token_type=mtls_pop, and presenting the SNI cert. The AAD westus3 test slice is silently downgrading the response. This is not a Microsoft.Identity.Web or MSAL regression.

Fix

Skip the test via [Fact(Skip = ""..."")] — the repo's established pattern for known-broken external-dependency tests (see e.g. WebAppIntegrationTests.cs, TokenAcquirer.cs:268, CertificateRotationTest.cs:45). Remove the skip when AAD test slice is fixed.

Tracking

The E2E test AcquireTokenWithMtlsPop_WithBindingCertificate_ReturnsMtlsPopToken
fails consistently in the PR pipeline with:

  MsalClientException: You asked for token type mtls_pop, but receive Bearer.

Root cause is server-side: the AAD westus3 test-slice mtlsauth endpoint
is downgrading token_type=mtls_pop responses to Bearer. MSAL is
correctly routing to westus3.mtlsauth.microsoft.com, sending
token_type=mtls_pop, and presenting the SNI cert. The matching MSAL.NET
test against the global mtlsauth.microsoft.com endpoint continues to
pass, isolating the issue to the test slice — not a Microsoft.Identity.Web
or MSAL regression.

Skip the test via [Fact(Skip = "...")] (the repo's established pattern
for known-broken external-dependency tests) until the AAD test slice
honors token_type=mtls_pop again.

Tracking: #3891
Related: AzureAD/microsoft-authentication-library-for-dotnet#6084

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@neha-bhargava neha-bhargava requested a review from a team as a code owner June 23, 2026 18:06
@neha-bhargava neha-bhargava merged commit 72f20d1 into master Jun 23, 2026
4 checks passed
@neha-bhargava neha-bhargava deleted the nebharg/skip-mtls-pop-westus3-test-slice branch June 23, 2026 18:30
This was referenced Jun 24, 2026
github-actions Bot pushed a commit to EelcoLos/nx-tinkering that referenced this pull request Jun 30, 2026
Pinned
[Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web)
at 4.11.0.

<details>
<summary>Release notes</summary>

_Sourced from [Microsoft.Identity.Web's
releases](https://github.com/AzureAD/microsoft-identity-web/releases)._

## 4.11.0

## What's Changed
* Bump vitest from 3.2.4 to 4.1.0 in
/tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in
AzureAD/microsoft-identity-web#3836
* Bump MSAL.NET to 4.84.2 and align OWIN binding redirects by @​gladjohn
with @​Copilot in
AzureAD/microsoft-identity-web#3844
* docs(design): devex proposal for mTLS PoP on Managed Identity and FIC
by @​gladjohn in
AzureAD/microsoft-identity-web#3832
* Prevent OpenIdConnectMiddlewareDiagnostics from logging sensitive
values by @​iarekk in
AzureAD/microsoft-identity-web#3850
* Add MSI mTLS PoP support: pure MI + FIC-with-MI (impl for devex
#​3832) by @​gladjohn in
AzureAD/microsoft-identity-web#3839
* docs(design): devex proposal for Bearer tokens with bound credentials
by @​gladjohn in
AzureAD/microsoft-identity-web#3833
* Add bound-credential support for Bearer tokens (cert + mTLS) by
@​gladjohn in
AzureAD/microsoft-identity-web#3835
* Upgrade IdWeb Sidecar to .NET 10 (LTS) by @​soodt in
AzureAD/microsoft-identity-web#3841
* MTLS Without Tokens Support - MicrosoftIdentityMessageHandler Support
by @​tlupes in
AzureAD/microsoft-identity-web#3815
* fix: include isTokenBinding in CCA cache key to prevent bearer/PoP
collision by @​gladjohn in
AzureAD/microsoft-identity-web#3867
* Test + doc: x-ms-tokenboundauth header for AKV mTLS PoP via
ExtraHeaderParameters by @​gladjohn in
AzureAD/microsoft-identity-web#3864
* Add mTLS PoP Copilot skill (certificate, MSI, FIC) by @​gladjohn in
AzureAD/microsoft-identity-web#3872
* Fix CVE-2026-48109: Pin MessagePack to patched version 2.5.301 by
@​soodt in AzureAD/microsoft-identity-web#3865
* Sidecar: gate agent identity parameters behind AllowOverrides by
@​iNinja in AzureAD/microsoft-identity-web#3871
* Bump System.Formats.Asn1 base version to 10.0.2 by @​iarekk in
AzureAD/microsoft-identity-web#3875
* Bump Microsoft.IdentityModel.* from 8.18.0 to 8.19.1 by @​iarekk in
AzureAD/microsoft-identity-web#3879
* Use IIdentityLogger for MSAL logging in TokenAcquisition and
ManagedIdentityClientAssertion (#​3820) by @​neha-bhargava in
AzureAD/microsoft-identity-web#3880
* Update Microsoft.Identity.Abstractions to 12.2.0 and MSAL to 4.85.0 by
@​neha-bhargava in
AzureAD/microsoft-identity-web#3881
* Surface MSAL AuthenticationResultMetadata + exception details on
AcquireTokenResult by @​neha-bhargava in
AzureAD/microsoft-identity-web#3856
* Flow outgoing request to header providers via AcquireTokenOptions by
@​neha-bhargava in
AzureAD/microsoft-identity-web#3876
* Throw on Authority vs Instance/TenantId conflict (OIDC + MSAL parity)
by @​iarekk in
AzureAD/microsoft-identity-web#3873
* Delete .github/workflows/evergreen.yml by @​bgavrilMS in
AzureAD/microsoft-identity-web#3803
* Add comprehensive authority configuration and precedence documentation
by @​jmprieur with @​Copilot in
AzureAD/microsoft-identity-web#3617
* Bump js-yaml from 4.1.1 to 4.2.0 in
/tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in
AzureAD/microsoft-identity-web#3862
* Move authority docs into docs/authority-configuration/ subfolder by
@​iarekk in AzureAD/microsoft-identity-web#3885
* Revert "Throw on Authority vs Instance/TenantId conflict (#​3873)" by
@​iarekk in AzureAD/microsoft-identity-web#3888
* Update Microsoft.Identity.Client to 4.85.1 by @​neha-bhargava in
AzureAD/microsoft-identity-web#3889
* Enable E2E test coverage on internal Azure DevOps pipelines by
@​gladjohn in
AzureAD/microsoft-identity-web#3883
* Bump esbuild and tsx in /tests/DevApps/SidecarAdapter/typescript by
@​dependabot[bot] in
AzureAD/microsoft-identity-web#3859
* Skip AcquireTokenWithMtlsPop test: AAD westus3 test slice returns
Bearer by @​neha-bhargava in
AzureAD/microsoft-identity-web#3892

## New Contributors
* @​iarekk made their first contribution in
AzureAD/microsoft-identity-web#3850
* @​soodt made their first contribution in
AzureAD/microsoft-identity-web#3841

**Full Changelog**:
AzureAD/microsoft-identity-web@4.10.0...4.11.0

Commits viewable in [compare
view](AzureAD/microsoft-identity-web@4.10.0...4.11.0).
</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This was referenced Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants