Adds support for implicit mTLS (Mutual TLS) transport for client assertion delegates by gladjohn · Pull Request #5670 · AzureAD/microsoft-authentication-library-for-dotnet

gladjohn · 2026-01-23T00:52:21Z

Changes proposed in this request
This pull request refactors and improves the handling of mTLS (mutual TLS) and PoP (Proof of Possession) authentication flows in the confidential client codebase. The main changes include extracting and centralizing the mTLS/PoP parameter initialization logic, updating client assertion delegate handling to distinguish between string and certificate-based credentials, and improving diagnostics and result handling for mTLS scenarios. These changes make the codebase more maintainable, testable, and robust regarding mTLS/PoP authentication.

Refactoring and centralization of mTLS/PoP initialization:

Extracted the mTLS/PoP initialization logic from AcquireTokenCommonParameters into a new helper class MtlsPopParametersInitializer, making the logic more modular and testable. The new method TryInitMtlsPopParametersAsync replaces the old InitMtlsPopParametersAsync and delegates to this helper. [1] [2] [3]

Client assertion delegate and credential handling improvements:

Updated ConfidentialClientApplicationBuilder to properly distinguish between string-based and certificate-based client assertion delegates, using a new ClientAssertionStringDelegateCredential for string assertions. This ensures correct handling and initialization based on the credential type. [1] [2] [3] [4] [5]

mTLS detection and diagnostics:

Changed mTLS detection throughout the codebase to use IsMtlsRequested instead of checking for a non-null certificate directly, improving clarity and correctness in mTLS scenarios. [1] [2] [3]

Improved handling in certificate client credentials:

Refactored CertificateAndClaimsClientCredential to return a result object (ClientCredentialApplicationResult) indicating whether mTLS is being used and to improve logging and diagnostics for both JWT and mTLS flows. [1] [2] [3]

Code cleanup:

Removed unnecessary using statements from ClientAssertionDelegateCredential.cs for improved code clarity.

Testing
unit, integration

Performance impact
none

Documentation

All relevant documentation is updated.

src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenCommonParameters.cs

src/client/Microsoft.Identity.Client/ApiConfig/Parameters/MtlsPopParametersInitializer.cs

src/client/Microsoft.Identity.Client/Internal/Requests/AuthenticationRequestParameters.cs

tests/Microsoft.Identity.Test.Integration.netcore/SeleniumTests/FociTests.cs

gladjohn requested a review from a team as a code owner January 23, 2026 00:52

gladjohn force-pushed the gladjohn/sni_bearer branch from e8c624e to 2b9f559 Compare January 26, 2026 17:29

bgavrilMS reviewed Jan 27, 2026

View reviewed changes

src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenCommonParameters.cs Outdated Show resolved Hide resolved

bgavrilMS reviewed Jan 27, 2026

View reviewed changes

src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenCommonParameters.cs Outdated Show resolved Hide resolved

bgavrilMS reviewed Jan 27, 2026

View reviewed changes

src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenCommonParameters.cs Outdated Show resolved Hide resolved

gladjohn force-pushed the gladjohn/sni_bearer branch 2 times, most recently from b199d2e to 039adf2 Compare January 27, 2026 19:34

gladjohn requested a review from bgavrilMS January 29, 2026 00:23

gladjohn force-pushed the gladjohn/sni_bearer branch 2 times, most recently from a5602c7 to 6b3214e Compare January 29, 2026 00:43