Skip to content

[Feature Request] Add 3 new extensiblity APIs #5568

New issue
New issue
Open
#5573
#5571
Open
[Feature Request] Add 3 new extensiblity APIs#5568
#5573
#5571
Assignees
neha-bhargava
Labels
Feature Requestconfidential-client
@bgavrilMS

Description

@bgavrilMS
bgavrilMS
opened on Nov 3, 2025

MSAL client type

Confidential

Problem statement

ConfidentialClientApplicationBuilder.WithCertificate(IAppConfig => X509Certificate)
This would provide a callback to obtain the certificate based on clientid and authority/tenantId. This function would need to be evaluated each time before ExecuteAsync is called.
ConfidentialClientApplicationBuilder.WithRetry((IAppConfig, MsalException) => bool This would be a retry policy for ExecuteAsync. On failure to obtain a token, a bool is returned saying whether retry should be attempted. If false, exception is rethrown. If true, then a try will be done. This will be repeated until the function returns false.
ConfidentialClientApplicationBuilder.WithObserver((IAppConfig, OneOf<AuthenticationResult, MsalException>) => void Callback for the result of ExecuteAsync. Would return either the AuthenticationResult, or the exception. Could also be WithOnSuccessCallback(IAppConfig), we don't need the failure or even the AuthenticationResult object.

Usage

    public static ConfidentialClientApplicationBuilder WithManagedCertificate(
        this ConfidentialClientApplicationBuilder builder,
        ICertificateSelectionService selection)
    {
        // Obtains a IManagedCertificate instace via the info in AppConfig
        IManagedCertificate GetCert(IAppConfig appConfig) =>
            selection.GetCertificateByFmiId(new GetByFmiIdOptions(appConfig.ClientId, appConfig.TenantId));

        return builder

            // Sets the certificate to use for client credential flows.
            .WithCertificate(appConfig => GetCert(appConfig).ActiveCertificate)

            // MarkFailure sends telemetry about the failure and returns a bool if the ActiveCertificate has changed.
            // appConfig.ClientCredentialCertificate must be set correctly as MarkFailure uses it for telemetry.
            .WithRetry((appConfig, ex) => GetCert(appConfig).MarkFailure(appConfig.ClientCredentialCertificate, ex))

            // MarkSuccess sends telemetry about the success.
            // We do not need to send telemetry about failures as WithRetry handles that.
            .WithObserver((appConfig, res) =>
            {
                if (res.Successful)
                    GetCert(appConfig).MarkSuccess(appConfig.ClientCredentialCertificate);
            });
    }

Proposed solution

No response

Alternatives

No response

Metadata

Metadata

Assignees

Labels

Feature Requestconfidential-client

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions