Bearer Requests should Fallback to IMDS in Preview (#5562)

gladjohn · web-flow · commit 2d65ccd28fe5 · 2025-10-30T16:15:59.000-07:00
* fallback to IMDS in PROD

* comment updates
diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentityClient.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentityClient.cs
@@ -52,30 +52,34 @@ private async Task<AbstractManagedIdentity> GetOrSelectManagedIdentitySourceAsyn
             {
                 requestContext.Logger.Info($"[Managed Identity] Selecting managed identity source if not cached. Cached value is {s_sourceName} ");
 
-                var source = ManagedIdentitySource.None;
+                ManagedIdentitySource source;
 
                 // If the source is not already set, determine it
                 if (s_sourceName == ManagedIdentitySource.None)
                 {
+                    // First invocation: detect and cache
                     source = await GetManagedIdentitySourceAsync(requestContext).ConfigureAwait(false);
                 }
-                // If the source has already been set to ImdsV2 (via this method, or GetManagedIdentitySourceAsync in ManagedIdentityApplication.cs) and mTLS PoP was NOT requested
+                else
+                {
+                    // Reuse cached value
+                    source = s_sourceName;
+                }
+
+                // If the source has already been set to ImdsV2 (via this method,
+                // or GetManagedIdentitySourceAsync in ManagedIdentityApplication.cs) and mTLS PoP was NOT requested
                 // In this case, we need to fall back to ImdsV1, because ImdsV2 currently only supports mTLS PoP requests
-                else if ((s_sourceName == ManagedIdentitySource.ImdsV2) && !isMtlsPopRequested)
+                if (source == ManagedIdentitySource.ImdsV2 && !isMtlsPopRequested)
                 {
                     requestContext.Logger.Info("[Managed Identity] ImdsV2 detected, but mTLS PoP was not requested. Falling back to ImdsV1 for this request only. Please use the \"WithMtlsProofOfPossession\" API to request a token via ImdsV2.");
-
-                    // keep the cached source (s_sourceName) as ImdsV2, since the developer may decide to use mTLS PoP in subsequent requests
-
+                    // Do NOT modify s_sourceName; keep cached ImdsV2 so future PoP
+                    // requests can leverage it.
                     source = ManagedIdentitySource.DefaultToImds;
                 }
-                else
-                {
-                    source = s_sourceName;
-                }
 
-                // If the source is determined to be ImdsV1 and mTLS PoP was requested, throw an exception since ImdsV1 does not support mTLS PoP
-                if ((source == ManagedIdentitySource.DefaultToImds) && isMtlsPopRequested)
+                // If the source is determined to be ImdsV1 and mTLS PoP was requested,
+                // throw an exception since ImdsV1 does not support mTLS PoP
+                if (source == ManagedIdentitySource.DefaultToImds && isMtlsPopRequested)
                 {
                     throw new MsalClientException(
                         MsalError.MtlsPopTokenNotSupportedinImdsV1,
diff --git a/tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ImdsV2Tests.cs b/tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ImdsV2Tests.cs
@@ -1462,5 +1462,42 @@ private static void AssertCertSubjectCnDc(X509Certificate2 cert, string expected
         }
 
         #endregion
+        
+        #region Fallback Behavior Tests
+        // Verifies non-mTLS request after IMDSv2 detection falls back per-request to IMDSv1 (Bearer),
+        [DataTestMethod]
+        [DataRow(UserAssignedIdentityId.None, null)]
+        [DataRow(UserAssignedIdentityId.ClientId, TestConstants.ClientId)]
+        public async Task NonMtlsRequest_FallbackToImdsV1(
+            UserAssignedIdentityId idKind,
+            string idValue)
+        {
+            using (new EnvVariableContext())
+            using (var httpManager = new MockHttpManager())
+            {
+                ManagedIdentityClient.ResetSourceForTest();
+                SetEnvironmentVariables(ManagedIdentitySource.ImdsV2, TestConstants.ImdsEndpoint);
+
+                var mi = await CreateManagedIdentityAsync(httpManager, idKind, idValue, managedIdentityKeyType: ManagedIdentityKeyType.KeyGuard).ConfigureAwait(false);
+
+                // Fallback token (Bearer) mock
+                httpManager.AddManagedIdentityMockHandler(
+                    ManagedIdentityTests.ImdsEndpoint,
+                    ManagedIdentityTests.Resource,
+                    MockHelpers.GetMsiSuccessfulResponse(),
+                    ManagedIdentitySource.Imds,
+                    userAssignedIdentityId: idKind,
+                    userAssignedId: idValue);
+
+                var token = await mi.AcquireTokenForManagedIdentity(ManagedIdentityTests.Resource)
+                    // No .WithMtlsProofOfPossession() => triggers fallback
+                    .ExecuteAsync().ConfigureAwait(false);
+
+                Assert.AreEqual(Bearer, token.TokenType);
+                Assert.IsNull(token.BindingCertificate, "Bearer token should not have binding certificate.");
+                Assert.AreEqual(TokenSource.IdentityProvider, token.AuthenticationResultMetadata.TokenSource);
+            }
+        }
+        #endregion
     }
 }
