mghabin · mghabin · Apr 24, 2026 · Apr 24, 2026
@@ -9,7 +9,6 @@
 
     <!-- Quality gates -->
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
-    <WarningsNotAsErrors>NU1902;NU1903</WarningsNotAsErrors>
     <EnforceCodeStyleInBuild>true</EnforceCodeStyleInBuild>
     <AnalysisLevel>latest-recommended</AnalysisLevel>
 

@@ -7,30 +7,37 @@
 
   <ItemGroup Label="ASP.NET Core / Microsoft.Extensions">
     <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="10.0.7" />
-    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.Configuration.Json" Version="10.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.Hosting" Version="10.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.Http" Version="10.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.Http.Resilience" Version="10.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.Options" Version="10.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.Options.DataAnnotations" Version="10.0.0" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.7" />
+    <PackageVersion Include="Microsoft.AspNetCore.DataProtection" Version="10.0.7" />
+    <PackageVersion Include="Microsoft.Extensions.Configuration.Json" Version="10.0.7" />
+    <PackageVersion Include="Microsoft.Extensions.Hosting" Version="10.0.7" />
+    <PackageVersion Include="Microsoft.Extensions.Http" Version="10.0.7" />
+    <PackageVersion Include="Microsoft.Extensions.Http.Resilience" Version="10.1.0" />
+    <PackageVersion Include="Microsoft.Extensions.Options" Version="10.0.7" />
+    <PackageVersion Include="Microsoft.Extensions.Options.DataAnnotations" Version="10.0.7" />
   </ItemGroup>
 
   <ItemGroup Label="Identity / Azure">
-    <PackageVersion Include="Microsoft.Identity.Web" Version="3.5.0" />
-    <PackageVersion Include="Microsoft.Identity.Web.DownstreamApi" Version="3.5.0" />
-    <PackageVersion Include="Microsoft.Identity.Client" Version="4.66.2" />
-    <PackageVersion Include="Azure.Identity" Version="1.13.1" />
+    <PackageVersion Include="Microsoft.Identity.Web" Version="4.8.0" />
+    <PackageVersion Include="Microsoft.Identity.Web.DownstreamApi" Version="4.8.0" />
+    <PackageVersion Include="Microsoft.Identity.Abstractions" Version="12.0.0" />
+    <PackageVersion Include="Microsoft.Identity.Client" Version="4.83.3" />
+    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.17.0" />
+    <PackageVersion Include="Microsoft.IdentityModel.Tokens" Version="8.17.0" />
+    <PackageVersion Include="Microsoft.IdentityModel.Validators" Version="8.17.0" />
+    <PackageVersion Include="Azure.Identity" Version="1.21.0" />
     <PackageVersion Include="Azure.Security.KeyVault.Certificates" Version="4.7.0" />
     <PackageVersion Include="Azure.Security.KeyVault.Secrets" Version="4.7.0" />
+    <PackageVersion Include="System.Security.Cryptography.Xml" Version="10.0.7" />
   </ItemGroup>
 
   <ItemGroup Label="Observability">
-    <PackageVersion Include="OpenTelemetry.Extensions.Hosting" Version="1.10.0" />
-    <PackageVersion Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.10.0" />
-    <PackageVersion Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.10.1" />
-    <PackageVersion Include="OpenTelemetry.Instrumentation.Http" Version="1.10.0" />
-    <PackageVersion Include="OpenTelemetry.Instrumentation.Runtime" Version="1.10.0" />
+    <PackageVersion Include="OpenTelemetry.Api" Version="1.15.3" />
+    <PackageVersion Include="OpenTelemetry.Extensions.Hosting" Version="1.15.3" />
+    <PackageVersion Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.15.3" />
+    <PackageVersion Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.15.2" />
+    <PackageVersion Include="OpenTelemetry.Instrumentation.Http" Version="1.15.1" />
+    <PackageVersion Include="OpenTelemetry.Instrumentation.Runtime" Version="1.15.1" />
   </ItemGroup>
 
   <ItemGroup Label="Analyzers">
@@ -42,7 +49,7 @@
     <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
     <PackageVersion Include="xunit.v3" Version="1.0.1" />
     <PackageVersion Include="xunit.runner.visualstudio" Version="3.0.1" />
-    <PackageVersion Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.0" />
+    <PackageVersion Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.7" />
     <PackageVersion Include="Shouldly" Version="4.2.1" />
     <PackageVersion Include="NSubstitute" Version="5.3.0" />
   </ItemGroup>

@@ -1,5 +1,6 @@
 <Solution>
   <Folder Name="/src/">
+    <Project Path="src/Ftgo.Auth.Client/Ftgo.Auth.Client.csproj" />
     <Project Path="src/Ftgo.Auth/Ftgo.Auth.csproj" />
     <Project Path="src/Ftgo.ApiGateway/Ftgo.ApiGateway.csproj" />
     <Project Path="src/Ftgo.OrderService/Ftgo.OrderService.csproj" />

@@ -17,35 +17,79 @@ internal sealed class KeyVaultCertOptions
 {
     [Required, Url] public string Uri { get; init; } = string.Empty;
     [Required] public string CertName { get; init; } = string.Empty;
+
+    /// <summary>
+    /// Optional user-assigned managed identity client ID. Leave empty to use system-assigned MI.
+    /// </summary>
+    public string? ManagedIdentityClientId { get; init; }
 }
 
 /// <summary>
 /// AccountingService — app token via CERTIFICATE (cert pulled from Key Vault with its private key).
+/// Cert is loaded asynchronously in <see cref="StartAsync"/> so the DI container stays free of sync I/O,
+/// and the credential pulling the cert is restricted to <see cref="ManagedIdentityCredential"/>
+/// (no fallback chain) for predictable production behaviour.
 /// </summary>
-internal sealed class CertificateTokenProvider : IAppTokenProvider, IDisposable
+internal sealed partial class CertificateTokenProvider : IAppTokenProvider, IHostedService, IDisposable
 {
-    private readonly IConfidentialClientApplication _app;
-    private readonly X509Certificate2 _certificate;
+    private readonly IOptions<AzureAdOptions> _aad;
+    private readonly IOptions<KeyVaultCertOptions> _kv;
+    private readonly ILogger<CertificateTokenProvider> _logger;
+    private IConfidentialClientApplication? _app;
+    private X509Certificate2? _certificate;
 
     public CertificateTokenProvider(
         IOptions<AzureAdOptions> aad,
-        IOptions<KeyVaultCertOptions> kv)
+        IOptions<KeyVaultCertOptions> kv,
+        ILogger<CertificateTokenProvider> logger)
     {
-        var certClient = new CertificateClient(new Uri(kv.Value.Uri), new DefaultAzureCredential());
-        _certificate = certClient.DownloadCertificate(kv.Value.CertName);
+        _aad = aad;
+        _kv = kv;
+        _logger = logger;
+    }
+
+    public async Task StartAsync(CancellationToken cancellationToken)
+    {
+        var credential = string.IsNullOrWhiteSpace(_kv.Value.ManagedIdentityClientId)
+            ? new ManagedIdentityCredential(ManagedIdentityId.SystemAssigned)
+            : new ManagedIdentityCredential(
+                ManagedIdentityId.FromUserAssignedClientId(_kv.Value.ManagedIdentityClientId));
+
+        var certClient = new CertificateClient(new Uri(_kv.Value.Uri), credential);
+        var downloaded = await certClient.DownloadCertificateAsync(
+            new DownloadCertificateOptions(_kv.Value.CertName)
+            {
+                KeyStorageFlags = X509KeyStorageFlags.EphemeralKeySet,
+            },
+            cancellationToken).ConfigureAwait(false);
+
+        _certificate = downloaded.Value;
 
         _app = ConfidentialClientApplicationBuilder
-            .Create(aad.Value.ClientId)
-            .WithAuthority($"https://login.microsoftonline.com/{aad.Value.TenantId}")
+            .Create(_aad.Value.ClientId)
+            .WithAuthority($"https://login.microsoftonline.com/{_aad.Value.TenantId}")
             .WithCertificate(_certificate)
             .Build();
+
+        LogCertLoaded(_kv.Value.CertName);
     }
 
+    public Task StopAsync(CancellationToken cancellationToken) => Task.CompletedTask;
+
     public async ValueTask<string> GetAccessTokenAsync(string scope, CancellationToken cancellationToken)
     {
-        var result = await _app.AcquireTokenForClient([scope]).ExecuteAsync(cancellationToken);
+        if (_app is null)
+        {
+            throw new InvalidOperationException(
+                $"{nameof(CertificateTokenProvider)} was used before {nameof(StartAsync)} completed.");
+        }
+
+        var result = await _app.AcquireTokenForClient([scope]).ExecuteAsync(cancellationToken).ConfigureAwait(false);
         return result.AccessToken;
     }
 
-    public void Dispose() => _certificate.Dispose();
+    public void Dispose() => _certificate?.Dispose();
+
+    [LoggerMessage(EventId = 4000, Level = Microsoft.Extensions.Logging.LogLevel.Information, Message = "Certificate '{CertName}' loaded from Key Vault.")]
+    private partial void LogCertLoaded(string certName);
 }
@@ -11,7 +11,7 @@
     <PackageReference Include="Microsoft.Identity.Client" />
   </ItemGroup>
   <ItemGroup>
-    <ProjectReference Include="..\Ftgo.Auth\Ftgo.Auth.csproj" />
+    <ProjectReference Include="..\Ftgo.Auth.Client\Ftgo.Auth.Client.csproj" />
   </ItemGroup>
   <ItemGroup>
     <None Update="appsettings.json"><CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory></None>

@@ -20,7 +20,12 @@
 
 builder.Services.AddEntraAuthTelemetry("Ftgo.AccountingService");
 builder.Services.AddEntraAuthDownstreamApi();
-builder.Services.AddSingleton<IAppTokenProvider, CertificateTokenProvider>();
+
+// CertificateTokenProvider must be registered as a hosted service so its async cert load
+// runs before DownstreamProbeService (hosted services start in registration order).
+builder.Services.AddSingleton<CertificateTokenProvider>();
+builder.Services.AddSingleton<IAppTokenProvider>(sp => sp.GetRequiredService<CertificateTokenProvider>());
+builder.Services.AddHostedService(sp => sp.GetRequiredService<CertificateTokenProvider>());
 builder.Services.AddHostedService<DownstreamProbeService>();
 
 await builder.Build().RunAsync();