Add CAE claims support for FIC + Managed Identity (#3647)

gladjohn · web-flow · commit 697d10fe443b · 2025-12-15T10:02:04.000-08:00
* revoke

* Make MSI client assertion HttpClient injection test internal

* make it internal
diff --git a/src/Microsoft.Identity.Web.Certificateless/InternalAPI.Unshipped.txt b/src/Microsoft.Identity.Web.Certificateless/InternalAPI.Unshipped.txt
@@ -1 +1,5 @@
 #nullable enable
+Microsoft.Identity.Web.ManagedIdentityClientAssertion.ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl, Microsoft.Extensions.Logging.ILogger? logger, Microsoft.Identity.Client.IMsalHttpClientFactory? testHttpClientFactory) -> void
+Microsoft.Identity.Web.TestOnly.ManagedIdentityClientAssertionTestHook
+static Microsoft.Identity.Web.TestOnly.ManagedIdentityClientAssertionTestHook.HttpClientFactoryForTests.get -> Microsoft.Identity.Client.IMsalHttpClientFactory?
+static Microsoft.Identity.Web.TestOnly.ManagedIdentityClientAssertionTestHook.HttpClientFactoryForTests.set -> void
diff --git a/src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs b/src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs
@@ -9,6 +9,7 @@
 using Microsoft.Identity.Client.AppConfig;
 using Microsoft.Identity.Client.Extensibility;
 using Microsoft.Identity.Web.Certificateless;
+using Microsoft.Identity.Web.TestOnly;
 
 namespace Microsoft.Identity.Web
 {
@@ -17,7 +18,7 @@ namespace Microsoft.Identity.Web
     /// </summary>
     public class ManagedIdentityClientAssertion : ClientAssertionProviderBase
     {
-        IManagedIdentityApplication _managedIdentityApplication;
+        private IManagedIdentityApplication _managedIdentityApplication;
         private readonly string _tokenExchangeUrl;
         private readonly ILogger? _logger;
 
@@ -49,7 +50,33 @@ public ManagedIdentityClientAssertion(string? managedIdentityClientId, string? t
         /// <param name="tokenExchangeUrl">Optional audience of the token to be requested from Managed Identity. Default value is "api://AzureADTokenExchange". 
         /// This value is different on clouds other than Azure Public</param>
         /// <param name="logger">A logger</param>
-        public ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl, ILogger? logger)
+        public ManagedIdentityClientAssertion(
+            string? managedIdentityClientId,
+            string? tokenExchangeUrl,
+            ILogger? logger)
+            : this(
+                managedIdentityClientId,
+                tokenExchangeUrl,
+                logger,
+                ManagedIdentityClientAssertionTestHook.HttpClientFactoryForTests)
+        {
+        }
+
+
+        /// <summary>
+        /// Same as <see cref="ManagedIdentityClientAssertion(string?, string?, ILogger?)"/>,
+        /// but allows injecting a custom MSAL HttpClient factory (used by tests).
+        /// </summary>
+        /// <param name="managedIdentityClientId">Optional ClientId of the Managed Identity</param>
+        /// <param name="tokenExchangeUrl">Optional audience of the token to be requested from Managed Identity. Default value is "api://AzureADTokenExchange". 
+        /// This value is different on clouds other than Azure Public</param>
+        /// <param name="logger">A logger.</param>
+        /// <param name="testHttpClientFactory">Optional MSAL HttpClient factory.</param>
+        internal ManagedIdentityClientAssertion(
+            string? managedIdentityClientId,
+            string? tokenExchangeUrl,
+            ILogger? logger,
+            IMsalHttpClientFactory? testHttpClientFactory)
         {
             _tokenExchangeUrl = tokenExchangeUrl ?? CertificatelessConstants.DefaultTokenExchangeUrl;
             _logger = logger;
@@ -61,6 +88,12 @@ public ManagedIdentityClientAssertion(string? managedIdentityClientId, string? t
             }
 
             var builder = ManagedIdentityApplicationBuilder.Create(id);
+
+            if (testHttpClientFactory != null)
+            {
+                builder = builder.WithHttpClientFactory(testHttpClientFactory);
+            }
+
             if (_logger != null)
             {
                 builder = builder.WithLogging(Log, ConvertMicrosoftExtensionsLogLevelToMsal(_logger), enablePiiLogging: false);
@@ -76,10 +109,24 @@ public ManagedIdentityClientAssertion(string? managedIdentityClientId, string? t
         /// acquired with managed identity (certificateless).
         /// </summary>
         /// <returns>The signed assertion.</returns>
-        protected override async Task<ClientAssertion> GetClientAssertionAsync(AssertionRequestOptions? assertionRequestOptions)
+        protected override async Task<ClientAssertion> GetClientAssertionAsync(
+            AssertionRequestOptions? assertionRequestOptions)
         {
-            var result = await _managedIdentityApplication
-                .AcquireTokenForManagedIdentity(_tokenExchangeUrl)
+            // Start the MI token request for the token-exchange audience
+            var miBuilder = _managedIdentityApplication
+                .AcquireTokenForManagedIdentity(_tokenExchangeUrl);
+
+            if (assertionRequestOptions is not null)
+            {
+                // Propagate claims into the MI token request.
+                // This also forces MSAL to bypass the MI token cache when claims are present.
+                if (!string.IsNullOrEmpty(assertionRequestOptions.Claims))
+                {
+                    miBuilder.WithClaims(assertionRequestOptions.Claims);
+                }
+            }
+
+            var result = await miBuilder
                 .ExecuteAsync(assertionRequestOptions?.CancellationToken ?? CancellationToken.None)
                 .ConfigureAwait(false);
 
diff --git a/src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertionTestHook.cs b/src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertionTestHook.cs
@@ -0,0 +1,19 @@
+﻿// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.Identity.Client;
+
+namespace Microsoft.Identity.Web.TestOnly
+{
+    /// <summary>
+    /// TEST-ONLY hook so unit tests can override the HttpClient factory used by
+    /// ManagedIdentityClientAssertion.
+    /// </summary>
+    internal static class ManagedIdentityClientAssertionTestHook
+    {
+        /// <summary>
+        /// Gets or sets the <see cref="IMsalHttpClientFactory"/> used by <c>ManagedIdentityClientAssertion</c> for unit testing purposes.
+        /// </summary>
+        internal static IMsalHttpClientFactory? HttpClientFactoryForTests { get; set; }
+    }
+}
diff --git a/src/Microsoft.Identity.Web/Resource/MicrosoftIdentityIssuerValidatorFactory.cs b/src/Microsoft.Identity.Web/Resource/MicrosoftIdentityIssuerValidatorFactory.cs
@@ -17,7 +17,7 @@ public class MicrosoftIdentityIssuerValidatorFactory
         /// Initializes a new instance of the <see cref="MicrosoftIdentityIssuerValidatorFactory"/> class.
         /// </summary>
         /// <param name="aadIssuerValidatorOptions">Options passed-in to create the AadIssuerValidator object.</param>
-        /// <param name="httpClientFactory">HttpClientFactory.</param>
+        /// <param name="httpClientFactory">HttpClientFactoryForTests.</param>
         public MicrosoftIdentityIssuerValidatorFactory(
             IOptions<AadIssuerValidatorOptions> aadIssuerValidatorOptions,
             IHttpClientFactory httpClientFactory)
diff --git a/tests/Microsoft.Identity.Web.Test/FederatedIdentityCaeTests.cs b/tests/Microsoft.Identity.Web.Test/FederatedIdentityCaeTests.cs
