AzureAD · cpp11nullptr · Dec 10, 2025 · Dec 9, 2025 · Dec 10, 2025 · Dec 10, 2025
@@ -185,8 +185,8 @@ namespace TokenAcquisition {
     }
 
         class IAuthorizationHeaderProvider { <<interface>> }
-        class IAuthorizationHeaderProvider2 { <<interface>> }
         class IAuthorizationHeaderProvider_TResult_ { <<interface>> }
+        class IBoundAuthorizationHeaderProvider { <<interface>> }
         class IDownstreamApi { <<interface>>
                +CallApiAsync(...)
                +CallApiForUserAsync(...)
@@ -423,8 +423,8 @@ It's also possible (and recommended) to use higher level APIs:
 - IAuthorizationHeaderProvider is the component that provides the authorization header, delegating to the ITokenAcquirer.
   Whereas ITokenAcquirer only knows about tokens, IAuthorizationHeaderProvider knows about protocols (for instance bearer,
   Pop, etc ...)
-- IAuthorizationHeaderProvider2 extends IAuthorizationHeaderProvider to provide authorization headers along with
-  bound certificate information, useful for scenarios requiring certificate binding details.
+- IBoundAuthorizationHeaderProvider returns authorization headers along with bound certificate information, useful for
+  scenarios requiring certificate binding details.
 
  ```mermaid
  classDiagram
@@ -461,10 +461,8 @@ It's also possible (and recommended) to use higher level APIs:
     +Task&lt;string&gt; CreateAuthorizationHeaderForAppAsync(string scopes, AuthorizationHeaderProviderOptions downstreamApiOptions, CancellationToken cancellationToken)
     +Task&lt;string&gt; CreateAuthorizationHeaderAsync(IEnumerable&lt;string&gt; scopes, AuthorizationHeaderProviderOptions options, ClaimsPrincipal claimsPrincipal, CancellationToken cancellationToken)
     }
-    class IAuthorizationHeaderProvider2 { <<interface>>
-    +Task&lt;AuthorizationHeaderInformation&gt; CreateAuthorizationHeaderBoundForUserAsync(IEnumerable&lt;string&gt; scopes, AuthorizationHeaderProviderOptions authorizationHeaderProviderOptions, ClaimsPrincipal claimsPrincipal, CancellationToken cancellationToken)
-    +Task&lt;AuthorizationHeaderInformation&gt; CreateAuthorizationHeaderBoundForAppAsync(string scopes, AuthorizationHeaderProviderOptions downstreamApiOptions, CancellationToken cancellationToken)
-    +Task&lt;AuthorizationHeaderInformation&gt; CreateAuthorizationHeaderBoundAsync(IEnumerable&lt;string&gt; scopes, AuthorizationHeaderProviderOptions options, ClaimsPrincipal claimsPrincipal, CancellationToken cancellationToken)
+    class IBoundAuthorizationHeaderProvider { <<interface>>
+    +Task&lt;OperationResult&lt;AuthorizationHeaderInformation, AuthorizationHeaderError&gt;&gt; CreateBoundAuthorizationHeaderAsync(DownstreamApiOptions downstreamApiOptions, ClaimsPrincipal claimsPrincipal, CancellationToken cancellationToken)
     }
     class IDownstreamApi { <<interface>>
     +Task&lt;HttpResponseMessage&gt; CallApiAsync(DownstreamApiOptions downstreamApiOptions, ClaimsPrincipal user, HttpContent content, CancellationToken cancellationToken)

@@ -169,7 +169,7 @@ Through its well-designed abstractions and interfaces, Microsoft.Identity.Abstra
 - ITokenAcquirer - Core interface for token acquisition
 - ITokenAcquirerFactory - Factory of Token acquirers
 - IAuthorizationHeaderProvider - creates authorization headers (getting tokens and building the protocol string)
-- IAuthorizationHeaderProvider2 - extends IAuthorizationHeaderProvider to provide authorization headers with bound certificate information
+- IBoundAuthorizationHeaderProvider - creates authorization headers with token, which is optionally bound to a certififcate
 - IDownstreamApi - call downstream APIs in an authenticated way.
 
 ### Development Guidelines

@@ -0,0 +1,31 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Security.Claims;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace Microsoft.Identity.Abstractions
+{
+    /// <summary>
+    /// Creates an authorization header value that the caller can use to access a protected web API, which supports either unbound or
+    /// bound to a certificate (for example, in an mTLS PoP scenario) tokens.
+    /// </summary>
+    public interface IBoundAuthorizationHeaderProvider
+    {
+         /// <summary>
+        /// Creates the authorization header used to call a protected web API with either unbound or bound to certificate tokens.
+        /// </summary>
+        /// <param name="downstreamApiOptions">Information about the API that will be called and token acquisition options.</param>
+        /// <param name="claimsPrincipal">Inbound authentication elements. In a web API, this is usually the result of the
+        /// validation of a token. In a web app, this would be information about the signed-in user. This is not useful in
+        /// daemon applications. In Microsoft.Identity.Web you rarely need to provide this parameter as it's inferred from the
+        /// context.</param>
+        /// <param name="cancellationToken">Cancellation token.</param>
+        /// <returns>A result which contains authorization token with optional bound certificate</returns>
+        Task<OperationResult<AuthorizationHeaderInformation, AuthorizationHeaderError>> CreateBoundAuthorizationHeaderAsync(
+            DownstreamApiOptions downstreamApiOptions,
+            ClaimsPrincipal? claimsPrincipal = null,
+            CancellationToken cancellationToken = default);
+    }
+}
@@ -1,2 +1,3 @@
 #nullable enable
-Microsoft.Identity.Abstractions.IAuthorizationHeaderProvider2
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider.CreateBoundAuthorizationHeaderAsync(Microsoft.Identity.Abstractions.DownstreamApiOptions! downstreamApiOptions, System.Security.Claims.ClaimsPrincipal? claimsPrincipal = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<Microsoft.Identity.Abstractions.OperationResult<Microsoft.Identity.Abstractions.AuthorizationHeaderInformation!, Microsoft.Identity.Abstractions.AuthorizationHeaderError!>>!
@@ -1,2 +1,3 @@
 #nullable enable
-Microsoft.Identity.Abstractions.IAuthorizationHeaderProvider2
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider.CreateBoundAuthorizationHeaderAsync(Microsoft.Identity.Abstractions.DownstreamApiOptions! downstreamApiOptions, System.Security.Claims.ClaimsPrincipal? claimsPrincipal = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<Microsoft.Identity.Abstractions.OperationResult<Microsoft.Identity.Abstractions.AuthorizationHeaderInformation!, Microsoft.Identity.Abstractions.AuthorizationHeaderError!>>!
@@ -1,2 +1,3 @@
 #nullable enable
-Microsoft.Identity.Abstractions.IAuthorizationHeaderProvider2
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider.CreateBoundAuthorizationHeaderAsync(Microsoft.Identity.Abstractions.DownstreamApiOptions! downstreamApiOptions, System.Security.Claims.ClaimsPrincipal? claimsPrincipal = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<Microsoft.Identity.Abstractions.OperationResult<Microsoft.Identity.Abstractions.AuthorizationHeaderInformation!, Microsoft.Identity.Abstractions.AuthorizationHeaderError!>>!
@@ -1,2 +1,3 @@
 #nullable enable
-Microsoft.Identity.Abstractions.IAuthorizationHeaderProvider2
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider.CreateBoundAuthorizationHeaderAsync(Microsoft.Identity.Abstractions.DownstreamApiOptions! downstreamApiOptions, System.Security.Claims.ClaimsPrincipal? claimsPrincipal = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<Microsoft.Identity.Abstractions.OperationResult<Microsoft.Identity.Abstractions.AuthorizationHeaderInformation!, Microsoft.Identity.Abstractions.AuthorizationHeaderError!>>!
@@ -1,2 +1,3 @@
 #nullable enable
-Microsoft.Identity.Abstractions.IAuthorizationHeaderProvider2
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider.CreateBoundAuthorizationHeaderAsync(Microsoft.Identity.Abstractions.DownstreamApiOptions! downstreamApiOptions, System.Security.Claims.ClaimsPrincipal? claimsPrincipal = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<Microsoft.Identity.Abstractions.OperationResult<Microsoft.Identity.Abstractions.AuthorizationHeaderInformation!, Microsoft.Identity.Abstractions.AuthorizationHeaderError!>>!
@@ -1,2 +1,3 @@
 #nullable enable
-Microsoft.Identity.Abstractions.IAuthorizationHeaderProvider2
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider
+Microsoft.Identity.Abstractions.IBoundAuthorizationHeaderProvider.CreateBoundAuthorizationHeaderAsync(Microsoft.Identity.Abstractions.DownstreamApiOptions! downstreamApiOptions, System.Security.Claims.ClaimsPrincipal? claimsPrincipal = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<Microsoft.Identity.Abstractions.OperationResult<Microsoft.Identity.Abstractions.AuthorizationHeaderInformation!, Microsoft.Identity.Abstractions.AuthorizationHeaderError!>>!
@@ -16,7 +16,7 @@ TokenAcquisition
 DownstreamApis
 - AuthorizationHeaderProviderOptions
 - IAuthorizationHeaderProvider
-- IAuthorizationHeaderProvider2
+- IBoundAuthorizationHeaderProvider
 - IDownstreamApi
 - DownstreamApiOptions
 - DownstreamApiOptionsReadOnlyHttpMethod