Skip to content

Add bound-credential support for Bearer tokens (cert + mTLS)#3835

Merged
gladjohn merged 3 commits into
masterfrom
gladjohn/bearer-bound-credentials
Jun 12, 2026
Merged

Add bound-credential support for Bearer tokens (cert + mTLS)#3835
gladjohn merged 3 commits into
masterfrom
gladjohn/bearer-bound-credentials

Conversation

@gladjohn

@gladjohn gladjohn commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

What this PR adds

Honors the new CredentialDescription.UseBoundCredential property (from microsoft-identity-abstractions-for-dotnet#252) on the Certificate credential branch.

When UseBoundCredential = true and a certificate is configured, IdWeb now wires the cert via MSAL's WithCertificate(cert, new CertificateOptions { SendCertificateOverMtls = true }). This causes MSAL to send the cert over mTLS to Entra's mTLS endpoint (mtlsauth.microsoft.com) and return a Bearer access token bound to that certificate.

Changes

File Purpose
ConfidentialClientApplicationBuilderExtension.cs Cert branch in WithClientCredentialsAsync now branches on UseBoundCredential
WithClientCredentialsTests.cs Two new dispatch tests (UseBoundCredential = true / false)
tests/DevApps/daemon-app/daemon-app-cert-bound/ DevApp harness verified end-to-end against mtlsauth.microsoft.com

What this PR does not add (deferred to follow-up PRs)

  • FIC (signed-assertion) bound flow — no new GetSignedClientAssertionAsync virtual on ClientAssertionProviderBase, no override on ManagedIdentityClientAssertion. The SignedAssertion branch in the dispatch is untouched.
  • Managed Identity → mTLS-PoP token exchange — MI path does not call .WithMtlsProofOfPossession() here.
  • KeyGuard attestationMicrosoft.Identity.Client.KeyAttestation.WithAttestationSupport() is not added.

These are intentionally split out so reviewers can land the smallest possible cert-path change first.

Dependencies

  • Depends on CredentialDescription.UseBoundCredential from microsoft-identity-abstractions-for-dotnet#252.
  • CI will fail to build until abstractions ships the new property. Opening as draft until that lands.

How it was validated

  • Full IdWeb unit suite green locally (934 pass / 0 fail / 11 skip) with -p:UseLocalAbstractions=true swapping in a local ProjectReference to the abstractions PR branch.
  • Bearer-bound DevApp harness (daemon-app-cert-bound) successfully obtains an access token (AT length 517, 1h expiry) from mtlsauth.microsoft.com.

Reviewer notes

  • The cert path is a one-line dispatch change. The branch is intentionally minimal.
  • Local-dev Directory.Build.targets (abstractions ProjectReference swap, gated by -p:UseLocalAbstractions=true) is not included in this PR.

@gladjohn
Add bound-credential support for Bearer tokens (cert + mTLS)
45ff078 
Honors CredentialDescription.UseBoundCredential on the Certificate branch by wiring the cert through MSAL's CertificateOptions.SendCertificateOverMtls = true. The resulting Bearer access token is bound to the certificate via mTLS to Entra's mTLSauth.microsoft.com endpoint.

Depends on microsoft-identity-abstractions-for-dotnet#252.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bgavrilMS
bgavrilMS approved these changes Jun 9, 2026
View reviewed changes

@bgavrilMS bgavrilMS left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is fine for X509 cred. But pls make sure we have follow up for FIC via MSI and for FIC via OIDC

gladjohn and others added 2 commits June 11, 2026 17:38
@gladjohn
Bump Microsoft.Identity.Abstractions to 12.1.0
43b127e 
PR #3835 introduces use of CredentialDescription.UseBoundCredential,
which was added in Microsoft.Identity.Abstractions 12.1.0. The pinned
version (12.0.0) does not expose this property, causing CS1061 on every
target framework in the 'Build and run unit tests' workflow.

Bumping the default MicrosoftIdentityAbstractionsVersion to 12.1.0
restores compilation across net462, net472, netstandard2.0, net8.0,
net9.0, and net10.0.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@gladjohn
Merge branch 'master' into gladjohn/bearer-bound-credentials
9706cbb 
Resolved Directory.Build.props conflict by combining master's bumps
(MicrosoftIdentityClientVersion 4.84.1 -> 4.84.2, new
MicrosoftIdentityClientKeyAttestationVersion 4.84.2) with the
abstractions 12.1.0 bump required by this PR's use of
CredentialDescription.UseBoundCredential.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@gladjohn gladjohn marked this pull request as ready for review June 12, 2026 00:43
@gladjohn gladjohn requested a review from a team as a code owner June 12, 2026 00:43
@gladjohn

gladjohn commented Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

This is fine for X509 cred. But pls make sure we have follow up for FIC via MSI and for FIC via OIDC

MSI + FIC is merged - #3839

OIDC is tracked seperately

@gladjohn gladjohn merged commit 464ae8f into master Jun 12, 2026
6 checks passed
@gladjohn gladjohn deleted the gladjohn/bearer-bound-credentials branch June 12, 2026 13:56
@gladjohn gladjohn mentioned this pull request Jun 16, 2026
Closed
This was referenced Jun 24, 2026
Merged
Merged
Open
Open
Closed
Open
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Open
Open
Closed
Merged
This was referenced Jun 24, 2026
Merged
Closed
Open
Merged
Merged
Merged
Merged
Merged
Closed
Open
Merged
Merged
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bgavrilMS bgavrilMS bgavrilMS approved these changes
@iarekk iarekk iarekk approved these changes
@4gust 4gust 4gust approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gladjohn @bgavrilMS @iarekk @4gust