pr comments

Author: GladwinJohnson

src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs

@@ -97,35 +97,19 @@ public AcquireTokenForClientParameterBuilder WithSendX5C(bool withSendX5C)
         /// <returns>The current instance of <see cref="AcquireTokenForClientParameterBuilder"/> to enable method chaining.</returns>
         public AcquireTokenForClientParameterBuilder WithMtlsProofOfPossession()
         {
-            if (ServiceBundle.Config.ClientCredential is CertificateClientCredential certCred)
+            if (ServiceBundle.Config.ClientCredential is CertificateClientCredential certificateCredential)
             {
-                CommonParameters.AuthenticationOperation =
-                    new MtlsPopAuthenticationOperation(certCred.Certificate);
-                CommonParameters.MtlsCertificate = certCred.Certificate;
-            }
-            else if (ServiceBundle.Config.ClientCredential is ClientAssertionDelegateCredential assertCred)
-            {
-                X509Certificate2 cert = assertCred.PeekCertificate(ServiceBundle.Config.ClientId);
-                
-                if (cert == null)
+                if (certificateCredential.Certificate == null)
                 {
-                    // Delegate did not supply a certificate ➜ cannot proceed with mTLS‑PoP
                     throw new MsalClientException(
-                        MsalError.MtlsCertificateNotProvided,
-                        MsalErrorMessage.MtlsCertificateNotProvidedMessage);
-                }
-
-                CommonParameters.AuthenticationOperation =
-                    new MtlsPopAuthenticationOperation(cert);
-                CommonParameters.MtlsCertificate = cert;
-            }
-            else
-            {
-                throw new MsalClientException(
                     MsalError.MtlsCertificateNotProvided,
                     MsalErrorMessage.MtlsCertificateNotProvidedMessage);
-            }
+                }
 
+                CommonParameters.AuthenticationOperation = new MtlsPopAuthenticationOperation(certificateCredential.Certificate);
+                CommonParameters.MtlsCertificate = certificateCredential.Certificate;               
+            }
+            CommonParameters.IsPopEnabled = true;
             return this;
         }
 

src/client/Microsoft.Identity.Client/ApiConfig/Executors/ConfidentialClientExecutor.cs

@@ -2,12 +2,15 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Identity.Client.ApiConfig.Parameters;
 using Microsoft.Identity.Client.AuthScheme.PoP;
 using Microsoft.Identity.Client.Instance.Discovery;
+using Microsoft.Identity.Client.Instance.Validation;
 using Microsoft.Identity.Client.Internal;
+using Microsoft.Identity.Client.Internal.ClientCredential;
 using Microsoft.Identity.Client.Internal.Requests;
 using Microsoft.Identity.Client.ManagedIdentity;
 using Microsoft.Identity.Client.Utils;
@@ -55,6 +58,9 @@ public async Task<AuthenticationResult> ExecuteAsync(
             AcquireTokenForClientParameters clientParameters,
             CancellationToken cancellationToken)
         {
+            await PopBindingResolver.ValidateAndWireAsync(ServiceBundle, commonParameters,cancellationToken)
+                .ConfigureAwait(false);
+
             RequestContext requestContext = CreateRequestContextAndLogVersionInfo(commonParameters.CorrelationId, commonParameters.MtlsCertificate, cancellationToken);
 
             AuthenticationRequestParameters requestParams = await _confidentialClientApplication.CreateRequestParametersAsync(

src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenCommonParameters.cs

@@ -33,5 +33,6 @@ internal class AcquireTokenCommonParameters
         public SortedList<string, string> CacheKeyComponents { get; internal set; }
         public string FmiPathSuffix { get; internal set; }
         public string ClientAssertionFmiPath { get; internal set; }
+        public bool IsPopEnabled { get; set; }
     }
 }

src/client/Microsoft.Identity.Client/AppConfig/ConfidentialClientApplicationBuilder.cs

@@ -287,21 +287,16 @@ public ConfidentialClientApplicationBuilder WithClientAssertion(Func<AssertionRe
         /// <remarks>This method allows the client application to authenticate using a custom client
         /// assertion, which can be useful in scenarios where the assertion needs to be dynamically generated or
         /// retrieved.</remarks>
-        /// <param name="boundAssertionAsync">A delegate that asynchronously provides an <see cref="AssertionResponse"/> based on the given <see
+        /// <param name="clientAssertionProvider">A delegate that asynchronously provides an <see cref="AssertionResponse"/> based on the given <see
         /// cref="AssertionRequestOptions"/> and <see cref="CancellationToken"/>. This delegate must not be <see
         /// langword="null"/>.</param>
         /// <returns>The <see cref="ConfidentialClientApplicationBuilder"/> instance configured with the specified client
         /// assertion.</returns>
-        /// <exception cref="ArgumentNullException">Thrown if <paramref name="boundAssertionAsync"/> is <see langword="null"/>.</exception>
+        /// <exception cref="ArgumentNullException">Thrown if <paramref name="clientAssertionProvider"/> is <see langword="null"/>.</exception>
         public ConfidentialClientApplicationBuilder WithClientAssertion(Func<AssertionRequestOptions,
-            CancellationToken, Task<AssertionResponse>> boundAssertionAsync)
+            CancellationToken, Task<AssertionResponse>> clientAssertionProvider)
         {
-            if (boundAssertionAsync == null)
-            {
-                throw new ArgumentNullException(nameof(boundAssertionAsync));
-            }
-
-            Config.ClientCredential = new ClientAssertionDelegateCredential(boundAssertionAsync);
+            Config.ClientCredential = new ClientAssertionDelegateCredential(clientAssertionProvider);
             return this;
         }
 

src/client/Microsoft.Identity.Client/AuthScheme/PoP/PopBindingResolver.cs

@@ -0,0 +1,113 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Security.Cryptography.X509Certificates;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Identity.Client.ApiConfig.Parameters;
+using Microsoft.Identity.Client.AuthScheme.PoP;
+using Microsoft.Identity.Client.Internal;
+using Microsoft.Identity.Client.Internal.ClientCredential;
+using Microsoft.Identity.Client.Internal.Requests;
+
+namespace Microsoft.Identity.Client.AuthScheme.PoP
+{
+    /// <summary>
+    /// Central place for validating mTLS Proof‑of‑Possession pre‑conditions
+    /// and wiring up <see cref="MtlsPopAuthenticationOperation"/>.
+    /// </summary>
+    internal static class PopBindingResolver
+    {
+        /// <summary>
+        /// Ensures a certificate is available, region settings are correct,
+        /// and populates <see cref="AcquireTokenCommonParameters.AuthenticationOperation"/>
+        /// and <see cref="AcquireTokenCommonParameters.MtlsCertificate"/>.
+        /// </summary>
+        internal static async Task ValidateAndWireAsync(IServiceBundle serviceBundle,
+            AcquireTokenCommonParameters commonParameters,
+            CancellationToken ct)
+        {
+            if (!commonParameters.IsPopEnabled)
+            {
+                return; // PoP not requested
+            }
+
+            // ────────────────────────────────────
+            // Case 1 – Certificate credential
+            // ────────────────────────────────────
+            if (serviceBundle.Config.ClientCredential is CertificateClientCredential certCred)
+            {
+                if (certCred.Certificate == null)
+                {
+                    throw new MsalClientException(
+                        MsalError.MtlsCertificateNotProvided,
+                        MsalErrorMessage.MtlsCertificateNotProvidedMessage);
+                }
+
+                return;
+            }
+
+            // ────────────────────────────────────
+            // Case 2 – Client‑assertion delegate
+            // ────────────────────────────────────
+            if (serviceBundle.Config.ClientCredential is ClientAssertionDelegateCredential cadc)
+            {
+                var opts = new AssertionRequestOptions
+                {
+                    ClientID = serviceBundle.Config.ClientId,
+                    ClientCapabilities = serviceBundle.Config.ClientCapabilities,
+                    Claims = commonParameters.Claims,
+                    CancellationToken = ct
+                };
+
+                AssertionResponse ar = await cadc.GetAssertionAsync(opts, ct).ConfigureAwait(false);
+
+                if (ar.TokenBindingCertificate == null)
+                {
+                    throw new MsalClientException(
+                        MsalError.MtlsCertificateNotProvided,
+                        MsalErrorMessage.MtlsCertificateNotProvidedMessage);
+                }
+
+                Wire(commonParameters, ar.TokenBindingCertificate, serviceBundle);
+                return;
+            }
+
+            // ────────────────────────────────────
+            // Case 3 – Any other credential (client‑secret etc.)
+            // ────────────────────────────────────
+            throw new MsalClientException(
+                MsalError.MtlsCertificateNotProvided,
+                MsalErrorMessage.MtlsCertificateNotProvidedMessage);
+        }
+
+        /// <summary>
+        /// Common wiring + region check.
+        /// </summary>
+        private static void Wire(
+            AcquireTokenCommonParameters commonParameters,
+            X509Certificate2 cert,
+            IServiceBundle serviceBundle)
+        {
+            // Region requirement (AAD only)
+            if (serviceBundle.Config.Authority.AuthorityInfo.AuthorityType == AuthorityType.Aad &&
+                serviceBundle.Config.AzureRegion == null)
+            {
+                throw new MsalClientException(
+                    MsalError.MtlsPopWithoutRegion,
+                    MsalErrorMessage.MtlsPopWithoutRegion);
+            }
+
+            commonParameters.AuthenticationOperation = new MtlsPopAuthenticationOperation(cert);
+            commonParameters.MtlsCertificate = cert;
+
+            commonParameters.CacheKeyComponents ??= new SortedList<string, string>(StringComparer.Ordinal);
+
+            commonParameters.CacheKeyComponents[Constants.CertSerialNumber] = cert.SerialNumber;
+
+            serviceBundle.Config.CertificateIdToAssociateWithToken = cert.Thumbprint;
+        }
+    }
+}

src/client/Microsoft.Identity.Client/Internal/ClientCredential/ClientAssertionDelegateCredential.cs

@@ -5,6 +5,9 @@
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.Identity.Client;
+using Microsoft.Identity.Client.AuthScheme.PoP;
+using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.Internal.Requests;
 using Microsoft.Identity.Client.OAuth2;
 using Microsoft.Identity.Client.PlatformsCommon.Interfaces;
@@ -13,94 +16,78 @@
 namespace Microsoft.Identity.Client.Internal.ClientCredential
 {
     /// <summary>
-    /// Handles client assertions supplied via a delegate that returns
-    /// <see cref="AssertionResponse"/> (JWT + optional certificate).
+    /// Handles client assertions supplied via a delegate that returns an
+    /// <see cref="AssertionResponse"/> (JWT + optional certificate bound for mTLS‑PoP).
     /// </summary>
     internal sealed class ClientAssertionDelegateCredential : IClientCredential
     {
-        private readonly Func<AssertionRequestOptions, CancellationToken, Task<AssertionResponse>> _assertionDelegate;
+        private readonly Func<AssertionRequestOptions, CancellationToken, Task<AssertionResponse>> _provider;
+
+        internal Task<AssertionResponse> GetAssertionAsync(
+                AssertionRequestOptions options,
+                CancellationToken cancellationToken) =>
+            _provider(options, cancellationToken);
 
         public ClientAssertionDelegateCredential(
-            Func<AssertionRequestOptions, CancellationToken, Task<AssertionResponse>> assertionDelegate)
+            Func<AssertionRequestOptions, CancellationToken, Task<AssertionResponse>> provider)
         {
-            _assertionDelegate = assertionDelegate ?? throw new ArgumentNullException(nameof(assertionDelegate));
+            _provider = provider ?? throw new ArgumentNullException(nameof(provider));
         }
 
         public AssertionType AssertionType => AssertionType.ClientAssertion;
 
-        private X509Certificate2 _cachedCertificate;
-
-        internal X509Certificate2 PeekCertificate(string clientId)
-        {
-            // Return the cached value if we already probed once
-            if (_cachedCertificate != null)
-            {
-                return _cachedCertificate;
-            }
-
-            try
-            {
-                var probeOpts = new AssertionRequestOptions
-                {
-                    ClientID = clientId,
-                };
-
-                var resp = _assertionDelegate(probeOpts, CancellationToken.None)
-                                 .ConfigureAwait(false)
-                                 .GetAwaiter()
-                                 .GetResult();
-
-                _cachedCertificate = resp?.TokenBindingCertificate;
-            }
-            catch
-            {
-            }
-
-            return _cachedCertificate;
-        }
+        // ──────────────────────────────────
+        //  Expose the certificate we used in the *last* call
+        // ──────────────────────────────────
+        private X509Certificate2 _lastCertificate;
+        internal X509Certificate2 LastCertificate => _lastCertificate;
 
+        // ──────────────────────────────────
+        //  Main hook for token requests
+        // ──────────────────────────────────
         public async Task AddConfidentialClientParametersAsync(
             OAuth2Client oAuth2Client,
-            AuthenticationRequestParameters requestParameters,
-            ICryptographyManager cryptographyManager,
+            AuthenticationRequestParameters p,
+            ICryptographyManager _,
             string tokenEndpoint,
-            CancellationToken cancellationToken)
+            CancellationToken ct)
         {
-            // Build the same AssertionRequestOptions old code produced
             var opts = new AssertionRequestOptions
             {
-                CancellationToken = cancellationToken,
-                ClientID = requestParameters.AppConfig.ClientId,
+                CancellationToken = ct,
+                ClientID = p.AppConfig.ClientId,
                 TokenEndpoint = tokenEndpoint,
-                ClientCapabilities = requestParameters.RequestContext.ServiceBundle.Config.ClientCapabilities,
-                Claims = requestParameters.Claims,
-                ClientAssertionFmiPath = requestParameters.ClientAssertionFmiPath
+                ClientCapabilities = p.RequestContext.ServiceBundle.Config.ClientCapabilities,
+                Claims = p.Claims,
+                ClientAssertionFmiPath = p.ClientAssertionFmiPath
             };
 
-            // Execute delegate
-            AssertionResponse resp = await _assertionDelegate(opts, cancellationToken)
-                                            .ConfigureAwait(false);
+            AssertionResponse resp = await _provider(opts, ct).ConfigureAwait(false);
 
-            // Empty JWT is not allowed
-            if (string.IsNullOrWhiteSpace(resp.Assertion))
+            if (string.IsNullOrWhiteSpace(resp?.Assertion))
             {
-                throw new ArgumentException(
-                    "The assertion delegate returned an empty JWT.",
-                    nameof(_assertionDelegate));
+                throw new MsalClientException(MsalError.InvalidClientAssertion,
+                    MsalErrorMessage.InvalidClientAssertionEmpty);
             }
 
-            // Set assertion type
-            if (resp.TokenBindingCertificate != null)
+            // Decide bearer vs PoP
+            bool popEnabled = p.IsPopEnabled;
+
+            if (popEnabled && resp.TokenBindingCertificate != null)
             {
                 oAuth2Client.AddBodyParameter(
                     OAuth2Parameter.ClientAssertionType,
-                    OAuth2AssertionType.JwtPop);
+                    OAuth2AssertionType.JwtPop /* constant added in OAuth2AssertionType */);
+
+                _lastCertificate = resp.TokenBindingCertificate;
             }
             else
             {
                 oAuth2Client.AddBodyParameter(
                     OAuth2Parameter.ClientAssertionType,
                     OAuth2AssertionType.JwtBearer);
+
+                _lastCertificate = null;
             }
 
             oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertion, resp.Assertion);

src/client/Microsoft.Identity.Client/Internal/Requests/AuthenticationRequestParameters.cs

@@ -111,6 +111,8 @@ public AuthenticationRequestParameters(
 
         public X509Certificate2 MtlsCertificate => _commonParameters.MtlsCertificate;
 
+        public bool IsPopEnabled => _commonParameters.IsPopEnabled;
+
         /// <summary>
         /// Indicates if the user configured claims via .WithClaims. Not affected by Client Capabilities
         /// </summary>