Skip to content

mTLS PoP: add SNI / S2S-FIC test coverage + docs#6100

Open
Robbie-Microsoft wants to merge 10 commits into
mainfrom
rginsburg/sni-mtls-pop-fic
Open

mTLS PoP: add SNI / S2S-FIC test coverage + docs#6100
Robbie-Microsoft wants to merge 10 commits into
mainfrom
rginsburg/sni-mtls-pop-fic

Conversation

@Robbie-Microsoft

@Robbie-Microsoft Robbie-Microsoft commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

The SNI-cert first-leg / S2S-FIC carry-over / mTLS-PoP plumbing already shipped in main. This PR is tests + docs only — no product code, public API, or behavior change. The related error-message / doc-comment fix was split out to #6127.

Tests

  • Unit (MtlsPopTests.cs, +3): SNI omits client_assertion / client_assertion_type / req_cnf; S2S FIC carry-over sends client_assertion_type=jwt-pop and binds to the carried cert; default transport is mTLS-capable.
  • E2E (ClientCredentialsMtlsPopTests.cs): assert both legs are mtls_pop with binding-cert continuity; add an FMI-audience variant proving the exchange audience is caller-supplied (inconclusive if FMI+mTLS isn't lab-enabled).

Docs

sni_mtls_pop_token_design.md, mtls_pop_skills_guide.md, CHANGELOG.md — region is optional / global fallback, two-leg S2S FIC, caller-supplied exchange audience.

user_fic (user-delegated FIC) is not supported over mTLS — FIC over mTLS PoP is S2S/app-only.

… messages

mTLS PoP does not require a region: when none is set, MSAL uses the global mtlsauth.microsoft.com endpoint (RegionAndMtlsDiscoveryProvider already falls back). Corrected the misleading RegionRequiredForMtlsPop / MtlsPopWithoutRegion / MtlsBearerWithoutRegion message text and doc comments (public constants preserved; no longer raised).

Isolated the sovereign-cloud guardrail in RegionAndMtlsDiscoveryProvider as a single, clearly-marked override point (comment-only; fail-fast behavior unchanged).

Added unit tests (SN/I sendX5C omits client_assertion/req_cnf; S2S FIC carry-over sends jwt-pop and binds to the carried cert; default transport is mTLS-capable) and two-leg S2S FIC E2E tests (both legs mtls_pop with binding-cert continuity, plus an FMI-audience variant). Updated design doc, skills guide, and CHANGELOG. No public API change; user_fic is not supported over mTLS.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 1, 2026 19:40
@Robbie-Microsoft
Robbie-Microsoft marked this pull request as ready for review July 1, 2026 19:43
@Robbie-Microsoft
Robbie-Microsoft requested a review from a team as a code owner July 1, 2026 19:43

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates MSAL.NET’s mTLS Proof-of-Possession (PoP) guidance and coverage to reflect that Azure region is optional (global mtlsauth.microsoft.com fallback), and adds test + documentation coverage for SNI first-leg and S2S/app FIC leg-2 carry-over scenarios over mTLS PoP (no public API changes).

Changes:

  • Corrects stale region-required mTLS PoP error-message text and updates historical error-code XML docs to reflect global endpoint fallback.
  • Adds unit + integration test coverage for SNI-over-mTLS-PoP and S2S FIC carry-over (jwt-pop assertion type and binding-cert continuity).
  • Updates design/docs and changelog to document region-optional behavior and S2S-only scope (no user_fic over mTLS).

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
tests/Microsoft.Identity.Test.Unit/PublicApiTests/MtlsPopTests.cs Adds unit tests for SNI mTLS PoP body shape, S2S FIC carry-over behavior, and default transport being mTLS-capable.
tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ClientCredentialsMtlsPopTests.cs Adds E2E coverage for two-leg S2S FIC over mTLS PoP (global endpoint), including an FMI-audience variant.
src/client/Microsoft.Identity.Client/MsalErrorMessage.cs Updates region-related mTLS messages to state region is optional and global fallback is used.
src/client/Microsoft.Identity.Client/MsalError.cs Updates XML docs to mark region-required mTLS errors as historical / no longer raised.
src/client/Microsoft.Identity.Client/Instance/Discovery/RegionAndMtlsDiscoveryProvider.cs Refactors comments to clearly document the sovereign-cloud guardrail as a single override point.
docs/sni_mtls_pop_token_design.md Documents region-optional behavior and adds a two-leg S2S FIC over mTLS PoP section and examples.
docs/mtls_pop_skills_guide.md Adds prompts/notes for SNI first leg, S2S-only FIC scope, and region-optional behavior.
CHANGELOG.md Adds an Unreleased entry summarizing the region-optional messaging and new mTLS PoP S2S FIC coverage.

@Robbie-Microsoft
Robbie-Microsoft marked this pull request as draft July 1, 2026 20:51
Robbie-Microsoft and others added 2 commits July 6, 2026 17:00
…ent-id

Fold the both-legs-mtls_pop and binding-cert-continuity assertions into the existing Sni_AssertionFlow_GlobalEndpoint_Uses_JwtPop_And_Succeeds test (carrying Leg-1 BindingCertificate forward) and delete the redundant standalone Sni_TwoLeg_S2sFic_BothLegs_Pop_EndToEnd test.

Parameterize the FMI-audience helper's Leg-2 client id so both legs run under the same identity; an ESTS rejection is then unambiguously an FMI + mTLS enablement issue rather than a client-id mismatch between legs.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@Robbie-Microsoft
Robbie-Microsoft marked this pull request as ready for review July 6, 2026 21:01
Copilot AI review requested due to automatic review settings July 6, 2026 21:01

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.

@Robbie-Microsoft Robbie-Microsoft changed the title Support SNI cert over mTLS PoP + S2S FIC; fix stale region-required messages SNI mTLS PoP hardening: message fix, S2S FIC tests, docs Jul 6, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Comment thread docs/sni_mtls_pop_token_design.md Outdated
Robbie-Microsoft and others added 2 commits July 7, 2026 17:49
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
…ce const in folded test

- MsalErrorMessage.cs / MsalError.cs: the no-longer-raised region messages
  and XML docs said 'the global mTLS endpoint (mtlsauth.microsoft.com)',
  which is public-cloud only (sovereign clouds use their own mtlsauth host).
  Dropped the hardcoded host so the text is cloud-accurate.
- ClientCredentialsMtlsPopTests.cs: the folded global-endpoint test now uses
  the AllowListedFinalResource constant instead of the inline literal.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 8, 2026 17:09

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

@bgavrilMS bgavrilMS left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unclear what this PR is about.

Comment thread src/client/Microsoft.Identity.Client/MsalError.cs Outdated
@Robbie-Microsoft Robbie-Microsoft changed the title SNI mTLS PoP hardening: message fix, S2S FIC tests, docs mTLS PoP: fix misleading region-required messages; add SNI/S2S-FIC tests + docs Jul 9, 2026
Copilot AI review requested due to automatic review settings July 9, 2026 16:42
…docs

- RegionAndMtlsDiscoveryProvider.cs: revert the added 'SOVEREIGN GUARDRAIL'
  banner comment (reverts to origin/main). The block-list is pre-existing and
  only redirects two legacy alias hosts; the comment mischaracterized it.
- MsalError.cs: drop the confusing 'Historical error code' phrasing on the
  three region constants; state plainly that a region is not required (global
  endpoint fallback) and that the constants are retained for back-compat.
  They remain public shipped API, so they are not deleted.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.

Comment thread tests/Microsoft.Identity.Test.Unit/PublicApiTests/MtlsPopTests.cs Outdated
Comment thread docs/sni_mtls_pop_token_design.md Outdated
Comment thread docs/sni_mtls_pop_token_design.md Outdated
Comment thread docs/sni_mtls_pop_token_design.md
Comment thread docs/sni_mtls_pop_token_design.md
Comment thread docs/mtls_pop_skills_guide.md Outdated
Comment thread CHANGELOG.md Outdated
…host; fix SNI typo

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 9, 2026 17:48

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.

@gladjohn gladjohn left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you should create separate PRs for this, "fix misleading region-required messages" is a must fix. I am not sure about FIC tests. we already have fic tests.

Revert MsalError.cs and MsalErrorMessage.cs to baseline so this PR carries
only the SNI / S2S-FIC tests and docs. The misleading region-required
message + doc-comment fix now ships separately in #6127. Drop the
message-fix clause from the CHANGELOG (docs + tests entries retained).

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 15, 2026 17:11
@Robbie-Microsoft Robbie-Microsoft changed the title mTLS PoP: fix misleading region-required messages; add SNI/S2S-FIC tests + docs mTLS PoP: add SNI / S2S-FIC test coverage + docs Jul 15, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Robbie-Microsoft and others added 2 commits July 15, 2026 13:36
… other tests inline the literal

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 15, 2026 17:38

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Comment on lines +534 to +544
try
{
await RunTwoLegS2sFicBothLegsPopAsync(FmiClientId, FmiClientId, FmiTokenExchangeUrl).ConfigureAwait(false);
}
catch (MsalServiceException ex)
{
Assert.Inconclusive(
"FMI-audience mTLS PoP exchange was rejected by ESTS for this app/lab configuration. " +
"This variant only proves the exchange audience is caller-supplied; the generic " +
$"api://AzureADTokenExchange path remains under test. Underlying error: {ex.Message}");
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants