Removal of ExperimentalFeatures flag on WithMtlsProofOfPossession API: (#5402)

gladjohn · GladwinJohnson · web-flow · commit 48b002d6c6ad · 2025-07-23T15:13:01.000-07:00
exp flag remove

Co-authored-by: Gladwin Johnson &lt;gljohns@microsoft.com&gt;
diff --git a/src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs b/src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs
@@ -96,8 +96,6 @@ public AcquireTokenForClientParameterBuilder WithSendX5C(bool withSendX5C)
         /// <returns>The current instance of <see cref="AcquireTokenForClientParameterBuilder"/> to enable method chaining.</returns>
         public AcquireTokenForClientParameterBuilder WithMtlsProofOfPossession()
         {
-            ValidateUseOfExperimentalFeature();
-
             if (ServiceBundle.Config.ClientCredential is not CertificateClientCredential certificateCredential)
             {
                 throw new MsalClientException(
diff --git a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ClientCredentialsMtlsPopTests.cs b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ClientCredentialsMtlsPopTests.cs
@@ -40,7 +40,6 @@ public async Task Sni_Gets_Pop_Token_Successfully_TestAsync()
                 .WithAuthority("https://login.microsoftonline.com/bea21ebe-8b64-4d06-9f6d-6a889b120a7c")
                 .WithAzureRegion("westus3") //test slice region 
                 .WithCertificate(cert, true)  
-                .WithExperimentalFeatures()
                 .WithTestLogging()
                 .Build();
 
diff --git a/tests/Microsoft.Identity.Test.Unit/ExceptionTests/ExperimentalFeatureTests.cs b/tests/Microsoft.Identity.Test.Unit/ExceptionTests/ExperimentalFeatureTests.cs
@@ -5,10 +5,12 @@
 using System.Collections.Generic;
 using System.Globalization;
 using System.Linq;
+using System.Net.Http;
 using System.Reflection;
 using System.Text;
 using System.Threading.Tasks;
 using Microsoft.Identity.Client;
+using Microsoft.Identity.Client.AppConfig;
 using Microsoft.Identity.Test.Common.Core.Helpers;
 using Microsoft.VisualStudio.TestTools.UnitTesting;
 
@@ -22,12 +24,16 @@ public class ExperimentalFeatureTests
         [TestMethod]
         public async Task ExperimentalFeatureExceptionAsync()
         {
+            PoPAuthenticationConfiguration popConfig = new PoPAuthenticationConfiguration(new Uri("https://www.contoso.com/path1/path2?queryParam1=a&queryParam2=b"));
+            popConfig.HttpMethod = HttpMethod.Get;
+
             IConfidentialClientApplication cca = ConfidentialClientApplicationBuilder
                 .Create(Guid.NewGuid().ToString())
                 .WithCertificate(CertHelper.GetOrCreateTestCert()).Build();
 
             MsalClientException ex = await AssertException.TaskThrowsAsync<MsalClientException>(
-                () => cca.AcquireTokenForClient(s_scopes).WithMtlsProofOfPossession().ExecuteAsync())
+                () => cca.AcquireTokenForClient(s_scopes)
+                .WithSignedHttpRequestProofOfPossession(popConfig).ExecuteAsync())
                 .ConfigureAwait(false);
 
             Assert.AreEqual(MsalError.ExperimentalFeature, ex.ErrorCode);
diff --git a/tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ManagedIdentityTests.cs b/tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ManagedIdentityTests.cs
@@ -369,7 +369,6 @@ public async Task ManagedIdentityWithClaimsTestAsync(
                 SetEnvironmentVariables(managedIdentitySource, endpoint);
 
                 var miBuilder = ManagedIdentityApplicationBuilder.Create(ManagedIdentityId.SystemAssigned)
-                    .WithExperimentalFeatures(true)
                     .WithHttpManager(httpManager);
 
                 // Disabling shared cache options to avoid cross test pollution.
@@ -811,7 +810,6 @@ public async Task ManagedIdentityInvalidRefreshOnThrowsAsync()
                 SetEnvironmentVariables(ManagedIdentitySource.AppService, AppServiceEndpoint);
 
                 var miBuilder = ManagedIdentityApplicationBuilder.Create(ManagedIdentityId.SystemAssigned)
-                    .WithExperimentalFeatures()
                     .WithHttpManager(httpManager);
 
                 // Disabling shared cache options to avoid cross test pollution.
diff --git a/tests/Microsoft.Identity.Test.Unit/PublicApiTests/MtlsPopTests.cs b/tests/Microsoft.Identity.Test.Unit/PublicApiTests/MtlsPopTests.cs
@@ -55,7 +55,6 @@ public async Task MtlsPop_AadAuthorityWithoutCertificateAsync()
             IConfidentialClientApplication app = ConfidentialClientApplicationBuilder
                             .Create(TestConstants.ClientId)
                             .WithAuthority("https://login.microsoftonline.com/123456-1234-2345-1234561234")
-                            .WithExperimentalFeatures()
                             .Build();
 
             MsalClientException ex = await AssertException.TaskThrowsAsync<MsalClientException>(() =>
@@ -74,7 +73,6 @@ public async Task MtlsPopWithoutCertificateAsync()
             IConfidentialClientApplication app = ConfidentialClientApplicationBuilder
                             .Create(TestConstants.ClientId)
                             .WithClientSecret(TestConstants.ClientSecret)
-                            .WithExperimentalFeatures()
                             .Build();
 
             // Set WithMtlsProofOfPossession on the request without a certificate
@@ -98,7 +96,6 @@ public async Task MtlsPopWithoutCertificateWithClientClaimsAsync()
             IConfidentialClientApplication app = ConfidentialClientApplicationBuilder
                             .Create(TestConstants.ClientId)
                             .WithClientClaims(s_testCertificate, ipAddress)
-                            .WithExperimentalFeatures()
                             .Build();
 
             // Expecting an exception because MTLS PoP requires a certificate to sign the claims
@@ -117,7 +114,6 @@ public async Task MtlsPopWithoutCertificateWithClientAssertionAsync()
             IConfidentialClientApplication app = ConfidentialClientApplicationBuilder
                             .Create(TestConstants.ClientId)
                             .WithClientAssertion(() => { return TestConstants.DefaultClientAssertion; })
-                            .WithExperimentalFeatures()
                             .Build();
 
             // Expecting an exception because MTLS PoP requires a certificate to sign the claims
@@ -146,7 +142,6 @@ public async Task MtlsPop_WithoutRegion_ThrowsException(bool setAzureRegion)
                                     .WithCertificate(s_testCertificate)
                                     // Setting Azure region to ConfidentialClientApplicationBuilder.DisableForceRegion overrides the AzureRegion to null.
                                     .WithAzureRegion(ConfidentialClientApplicationBuilder.DisableForceRegion)
-                                    .WithExperimentalFeatures()
                                     .Build();
                 }
                 else
@@ -155,7 +150,6 @@ public async Task MtlsPop_WithoutRegion_ThrowsException(bool setAzureRegion)
                                     .Create(TestConstants.ClientId)
                                     .WithAuthority(TestConstants.AuthorityTenant)
                                     .WithCertificate(s_testCertificate)
-                                    .WithExperimentalFeatures()
                                     .Build();
                 }
 
@@ -177,7 +171,6 @@ public async Task MtlsPop_WithUnsupportedNonTenantedAuthorityAsync_ThrowsExcepti
             IConfidentialClientApplication app = ConfidentialClientApplicationBuilder
                             .Create(TestConstants.ClientId)
                             .WithCertificate(s_testCertificate)
-                            .WithExperimentalFeatures()
                             .Build();
 
             // Set WithMtlsProofOfPossession on the request without specifying an authority
@@ -220,7 +213,7 @@ private static string ComputeExpectedKeyId(X509Certificate2 certificate)
         public void GetTokenRequestParams_ExpectedValues()
         {
             var scheme = new MtlsPopAuthenticationOperation(s_testCertificate);
-            System.Collections.Generic.IReadOnlyDictionary<string, string> parameters = scheme.GetTokenRequestParams();
+            IReadOnlyDictionary<string, string> parameters = scheme.GetTokenRequestParams();
 
             Assert.AreEqual(Constants.MtlsPoPTokenType, parameters[OAuth2Parameter.TokenType]);
         }
@@ -248,7 +241,6 @@ public async Task AcquireTokenForClient_WithMtlsProofOfPossession_SuccessAsync()
                         .WithCertificate(s_testCertificate)
                         .WithAuthority($"https://login.microsoftonline.com/123456-1234-2345-1234561234")
                         .WithAzureRegion(ConfidentialClientApplication.AttemptRegionDiscovery)
-                        .WithExperimentalFeatures()
                         .WithHttpManager(httpManager)
                         .BuildConcrete();
 
@@ -308,7 +300,6 @@ public async Task AcquireMtlsPopTokenForClientWithTenantId_SuccessAsync()
                         .WithCertificate(s_testCertificate)
                         .WithTenantId("123456-1234-2345-1234561234")
                         .WithAzureRegion(ConfidentialClientApplication.AttemptRegionDiscovery)
-                        .WithExperimentalFeatures()
                         .WithHttpManager(httpManager)
                         .BuildConcrete();
 
@@ -355,7 +346,6 @@ public async Task MtlsPop_KnownRegionAsync()
                     .WithAuthority(authorityUrl)
                     .WithAzureRegion(region)
                     .WithHttpManager(httpManager)
-                    .WithExperimentalFeatures()
                     .BuildConcrete();
 
                 AuthenticationResult result = await app.AcquireTokenForClient(TestConstants.s_scope)
@@ -388,15 +378,13 @@ public async Task MtlsPop_RegionalTokenCacheInterchangeabilityAsync()
                     .WithAzureRegion(region)
                     .WithAuthority(authority)
                     .WithHttpManager(httpManager)
-                    .WithExperimentalFeatures()
                     .BuildConcrete();
 
                 IConfidentialClientApplication regionalApp2 = ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
                     .WithCertificate(s_testCertificate)
                     .WithAzureRegion(region)
                     .WithAuthority(authority)
                     .WithHttpManager(httpManager)
-                    .WithExperimentalFeatures()
                     .BuildConcrete();
 
                 var memoryTokenCache = new InMemoryTokenCache();
@@ -443,7 +431,6 @@ public async Task MtlsPop_ThrowsExceptionWhenRegionAutoDetectFailsAsync()
                         .WithCertificate(s_testCertificate)
                         .WithAuthority("https://login.microsoftonline.com/123456-1234-2345-1234561234")
                         .WithAzureRegion(ConfidentialClientApplication.AttemptRegionDiscovery)
-                        .WithExperimentalFeatures()
                         .WithHttpManager(httpManager)
                         .BuildConcrete();
 
@@ -471,7 +458,6 @@ public async Task MtlsPop_NonAadAuthorityAsync(string authorityUrl, string autho
                             .Create(TestConstants.ClientId)
                             .WithCertificate(s_testCertificate)
                             .WithAuthority(authorityUrl)
-                            .WithExperimentalFeatures()
                             .Build();
 
             // Set WithMtlsProofOfPossession on the request with a non-AAD authority
@@ -510,7 +496,6 @@ public async Task MtlsPop_WithUnsupportedNonTenantedAuthorityAsync_ThrowsExcepti
                         .WithCertificate(s_testCertificate)
                         .WithAuthority($"{authorityUrl}/{nonTenantValue}")
                         .WithAzureRegion(ConfidentialClientApplication.AttemptRegionDiscovery)
-                        .WithExperimentalFeatures()
                         .WithHttpManager(httpManager)
                         .BuildConcrete();
 
@@ -567,7 +552,6 @@ public async Task MtlsPop_ValidateExpectedUrlAsync()
                                  .WithHttpManager(harness.HttpManager)
                                  .WithAzureRegion(ConfidentialClientApplication.AttemptRegionDiscovery)
                                  .WithCertificate(s_testCertificate)
-                                 .WithExperimentalFeatures(true)
                                  .Build();
 
                     // Act
@@ -615,7 +599,6 @@ public async Task PublicAndSovereignCloud_UsesPreferredNetwork_AndNoDiscovery_As
                                         .WithHttpManager(harness.HttpManager)
                                         .WithAzureRegion(ConfidentialClientApplication.AttemptRegionDiscovery)
                                         .WithCertificate(s_testCertificate)
-                                        .WithExperimentalFeatures(true)
                                         .Build();
 
                     AuthenticationResult result = await app
@@ -678,7 +661,6 @@ public async Task AcquireTokenForClient_WithMtlsPop_NonStandardCloudAsync()
                                     .WithAzureRegion(ConfidentialClientApplication.AttemptRegionDiscovery)
                                     .WithCertificate(s_testCertificate)
                                     .WithInstanceDiscovery(false)
-                                    .WithExperimentalFeatures(true)
                                     .Build();
 
                     AuthenticationResult result = await app
@@ -727,7 +709,6 @@ public async Task AcquireTokenForClient_WithMtlsPop_Dsts_SuccessAsync()
                 var app = ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
                     .WithCertificate(s_testCertificate)
                     .WithAuthority(authorityUrl)
-                    .WithExperimentalFeatures()
                     .WithHttpManager(httpManager)
                     .BuildConcrete();
 
@@ -763,7 +744,6 @@ public async Task MtlsPop_WithUnsupportedNonTenantedAuthorityAsyncForDsts_Throws
                             .Create(TestConstants.ClientId)
                             .WithAuthority(authorityUrl)
                             .WithCertificate(s_testCertificate)
-                            .WithExperimentalFeatures()
                             .Build();
 
             // Set WithMtlsProofOfPossession on the request specifying an authority
@@ -793,7 +773,6 @@ public async Task BindingCertificate_PopulatedForMtlsPop_AndNullForBearerAsync()
                     .WithCertificate(s_testCertificate)
                     .WithAuthority("https://login.microsoftonline.com/123456-1234-2345-1234561234")
                     .WithAzureRegion(ConfidentialClientApplication.AttemptRegionDiscovery)
-                    .WithExperimentalFeatures()
                     .WithHttpManager(httpManager)
                     .BuildConcrete();
 
diff --git a/tests/devapps/NetCoreTestApp/Program.cs b/tests/devapps/NetCoreTestApp/Program.cs
@@ -437,9 +437,6 @@ private static IConfidentialClientApplication CreateCcaForMtlsPop(string region)
 
             ccaBuilder = ccaBuilder.WithCertificate(s_confidentialClientCertificate, true);
 
-            //Add Experimental feature for MTLS PoP
-            ccaBuilder = ccaBuilder.WithExperimentalFeatures();
-
             IConfidentialClientApplication ccapp = ccaBuilder.Build();
 
             // Optionally set cache settings or other configurations if needed

Original file line number	Diff line number	Diff line change
`@@ -96,8 +96,6 @@ public AcquireTokenForClientParameterBuilder WithSendX5C(bool withSendX5C)`
`96`	`96`	`/// <returns>The current instance of <see cref="AcquireTokenForClientParameterBuilder"/> to enable method chaining.</returns>`
`97`	`97`	`public AcquireTokenForClientParameterBuilder WithMtlsProofOfPossession()`
`98`	`98`	`{`
`99`		`- ValidateUseOfExperimentalFeature();`
`100`		`-`
`101`	`99`	`if (ServiceBundle.Config.ClientCredential is not CertificateClientCredential certificateCredential)`
`102`	`100`	`{`
`103`	`101`	`throw new MsalClientException(`