more fixes

GladwinJohnson · GladwinJohnson · commit 6bab3bfe5546 · 2025-08-07T13:23:36.000-07:00
diff --git a/tests/Microsoft.Identity.Test.Unit/PublicApiTests/ClientAssertionTests.cs b/tests/Microsoft.Identity.Test.Unit/PublicApiTests/ClientAssertionTests.cs
@@ -353,9 +353,16 @@ public async Task ClientAssertion_BearerAsync()
             var result = await cca.AcquireTokenForClient(TestConstants.s_scope)
                                   .ExecuteAsync().ConfigureAwait(false);
 
+            Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);
+
             Assert.AreEqual(
                 "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
                 handler.ActualRequestPostData["client_assertion_type"]);
+
+            result = await cca.AcquireTokenForClient(TestConstants.s_scope)
+                                  .ExecuteAsync().ConfigureAwait(false);
+
+            Assert.AreEqual(TokenSource.Cache, result.AuthenticationResultMetadata.TokenSource);
         }
 
         [TestMethod]
@@ -509,6 +516,73 @@ public async Task WithMtlsPop_AfterPoPDelegate_Works()
             }
         }
 
+        [TestMethod]
+        public async Task PoP_CachedTokenWithDifferentCertificate_IsBypassedAsync()
+        {
+            const string region = "eastus";
+
+            // ─────────── Set up HTTP mocks ───────────
+            using var httpManager = new MockHttpManager();
+            using (var envContext = new EnvVariableContext())
+            {
+                Environment.SetEnvironmentVariable("REGION_NAME", region);
+
+                // 1st network call returns token‑A
+                httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage(
+                            tokenType: "mtls_pop");
+
+                // 2nd network call returns token‑B
+                httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage(
+                            tokenType: "mtls_pop");
+
+                // ─────────── Two distinct certificates ───────────
+                var certA = CertHelper.GetOrCreateTestCert();
+                var certB = CertHelper.GetOrCreateTestCert(regenerateCert: true);
+
+                // Delegate returns certA on first call, certB on second call
+                int callCount = 0;
+                Func<AssertionRequestOptions, CancellationToken, Task<AssertionResponse>> popDelegate =
+                    (opts, ct) =>
+                    {
+                        callCount++;
+                        var cert = (callCount == 1) ? certA : certB;
+                        return Task.FromResult(new AssertionResponse
+                        {
+                            Assertion = $"jwt_{callCount}",      // payload not important for this test
+                            TokenBindingCertificate = cert
+                        });
+                    };
+
+                // ─────────── Build the app ───────────
+                var cca = ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
+                           .WithClientSecret(TestConstants.ClientSecret)
+                           .WithClientAssertion(popDelegate)
+                           .WithAuthority($"https://login.microsoftonline.com/123456-1234-2345-1234561234")
+                           .WithAzureRegion(ConfidentialClientApplication.AttemptRegionDiscovery)
+                           .WithHttpManager(httpManager)
+                           .BuildConcrete();
+
+                // ─────────── First acquire – network call, caches token‑A bound to certA ───────────
+                AuthenticationResult first = await cca.AcquireTokenForClient(TestConstants.s_scope)
+                    .WithMtlsProofOfPossession()
+                    .ExecuteAsync()
+                    .ConfigureAwait(false);
+
+                Assert.AreEqual(TokenSource.IdentityProvider, first.AuthenticationResultMetadata.TokenSource);
+                Assert.AreEqual(certA.Thumbprint, first.BindingCertificate.Thumbprint);
+
+                // ─────────── Second acquire – delegate now returns certB ───────────
+                AuthenticationResult second = await cca.AcquireTokenForClient(TestConstants.s_scope)
+                    .WithMtlsProofOfPossession()
+                    .ExecuteAsync()
+                    .ConfigureAwait(false);
+
+                // The serial number mismatch should have forced a network call, not a cache hit
+                Assert.AreEqual(TokenSource.IdentityProvider, second.AuthenticationResultMetadata.TokenSource);
+                Assert.AreEqual(certB.Thumbprint, second.BindingCertificate.Thumbprint);
+            }
+        }
+
         [TestMethod]
         public async Task WithMtlsPop_AfterBearerDelegate_Throws()
         {
diff --git a/tests/Microsoft.Identity.Test.Unit/PublicApiTests/MtlsPopTests.cs b/tests/Microsoft.Identity.Test.Unit/PublicApiTests/MtlsPopTests.cs
@@ -328,6 +328,74 @@ public async Task AcquireMtlsPopTokenForClientWithTenantId_SuccessAsync()
             }
         }
 
+        [TestMethod]
+        public async Task AcquireMtlsPopTokenForClientWithTenantIdCertChecks_Async()
+        {
+            const string region = "eastus";
+            
+            // ─────────── Two distinct certificates ───────────
+            var certA = CertHelper.GetOrCreateTestCert();
+            var certB = CertHelper.GetOrCreateTestCert(regenerateCert: true);
+
+            using (var envContext = new EnvVariableContext())
+            {
+                Environment.SetEnvironmentVariable("REGION_NAME", region);
+
+                // Set the expected mTLS endpoint for public cloud
+                string globalEndpoint = "mtlsauth.microsoft.com";
+                string expectedTokenEndpoint = $"https://{region}.{globalEndpoint}/123456-1234-2345-1234561234/oauth2/v2.0/token";
+
+                using (var httpManager = new MockHttpManager())
+                {
+                    // Set up mock handler with expected token endpoint URL
+                    httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage(
+                        tokenType: "mtls_pop");
+
+                    var app = ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
+                        .WithCertificate(certA)
+                        .WithTenantId("123456-1234-2345-1234561234")
+                        .WithAzureRegion(ConfidentialClientApplication.AttemptRegionDiscovery)
+                        .WithHttpManager(httpManager)
+                        .BuildConcrete();
+
+                    // First token acquisition - should hit the identity provider
+                    AuthenticationResult result = await app.AcquireTokenForClient(TestConstants.s_scope)
+                        .WithMtlsProofOfPossession()
+                        .ExecuteAsync()
+                        .ConfigureAwait(false);
+
+                    Assert.AreEqual("header.payload.signature", result.AccessToken);
+                    Assert.AreEqual(Constants.MtlsPoPAuthHeaderPrefix, result.TokenType);
+                    Assert.AreEqual(region, result.AuthenticationResultMetadata.RegionDetails.RegionUsed);
+                    Assert.AreEqual(expectedTokenEndpoint, result.AuthenticationResultMetadata.TokenEndpoint);
+                    Assert.AreEqual(certA.Thumbprint, result.BindingCertificate.Thumbprint);
+
+                    app = ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
+                        .WithCertificate(certB)
+                        .WithTenantId("123456-1234-2345-1234561234")
+                        .WithAzureRegion(ConfidentialClientApplication.AttemptRegionDiscovery)
+                        .WithHttpManager(httpManager)
+                        .BuildConcrete();
+
+                    // Set up mock handler with expected token endpoint URL
+                    httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage(
+                        tokenType: "mtls_pop");
+
+                    // Second token acquisition - should also be from IDP because we have a new cert
+                    AuthenticationResult secondResult = await app.AcquireTokenForClient(TestConstants.s_scope)
+                        .WithMtlsProofOfPossession()
+                        .ExecuteAsync()
+                        .ConfigureAwait(false);
+
+                    Assert.AreEqual("header.payload.signature", secondResult.AccessToken);
+                    Assert.AreEqual(Constants.MtlsPoPAuthHeaderPrefix, secondResult.TokenType);
+                    Assert.AreEqual(TokenSource.IdentityProvider, secondResult.AuthenticationResultMetadata.TokenSource);
+                    Assert.AreEqual(expectedTokenEndpoint, result.AuthenticationResultMetadata.TokenEndpoint);
+                    Assert.AreEqual(certB.Thumbprint, secondResult.BindingCertificate.Thumbprint);
+                }
+            }
+        }
+
         [TestMethod]
         public async Task MtlsPop_KnownRegionAsync()
         {
