FIC+OIDC credential provider (#3255)

* Proto for FIC+OIDC

* Attempt to avoid blocking on WaitAsync()

* Use credential ID to key CCA objects

* Add credential ID to the key of the CCA dictionary

* Update to use semaphores

* Update test to use separate app + TokenAcquisition to not use semaphores

* Update test config with x-cloud setup

* Finalize tests

* Propose a fix for:
 - `GetValue(key, out IConfidentialClientApplication? application) && application != null)` was not right because if `TryGetValue` returns `false`, application will necessarilly be **null**. So the condition `!TryGetValue(...) && application != null` can never be true.
- which implies that we'll have a race condition: `BuildConfidentialClientApplicationAsync to be executed multiple times concurrently for the same key. The pattern used here:`

The propsed code with a semaphore per key released on all cases should prevents multiple concurrent builds while still allowing concurrent access to different applications.

* Productize OIDC FIC
Moves the xcloud fix code to a new assembly
Fixes #3243 (Certr otation test bug due to SFI)
Adds a TestOnly namespace to reset the TokenAcquirerFactory

* Add back unit test

* Update src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs

Co-authored-by: Jean-Marc Prieur <jmprieur@microsoft.com>

* More test fixes

* Ignore integration test on GH build

* Proto for FIC+OIDC

* Attempt to avoid blocking on WaitAsync()

* Use credential ID to key CCA objects

* Add credential ID to the key of the CCA dictionary

* Update to use semaphores

* Update test to use separate app + TokenAcquisition to not use semaphores

* Update test config with x-cloud setup

* Finalize tests

* Propose a fix for:
 - `GetValue(key, out IConfidentialClientApplication? application) && application != null)` was not right because if `TryGetValue` returns `false`, application will necessarilly be **null**. So the condition `!TryGetValue(...) && application != null` can never be true.
- which implies that we'll have a race condition: `BuildConfidentialClientApplicationAsync to be executed multiple times concurrently for the same key. The pattern used here:`

The propsed code with a semaphore per key released on all cases should prevents multiple concurrent builds while still allowing concurrent access to different applications.

* Productize OIDC FIC
Moves the xcloud fix code to a new assembly
Fixes #3243 (Certr otation test bug due to SFI)
Adds a TestOnly namespace to reset the TokenAcquirerFactory

* Add back unit test

* Update src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs

Co-authored-by: Jean-Marc Prieur <jmprieur@microsoft.com>

* More test fixes

* Ignore integration test on GH build

* Fix test common project not running on GH action

* Try another fix for GH test build

---------

Co-authored-by: Bogdan Gavril <bogavril@microsoft.com>

Author: jmprieur

Microsoft.Identity.Web.sln

@@ -158,6 +158,10 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "BlazorApp", "tests\DevApps\
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "blazor", "blazor", "{02EA681E-C7D8-13C7-8484-4AC65E1B71E8}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "OidcIdpSignedAssertionProviderTests", "tests\E2E Tests\OidcIdPSignedAssertionProviderTests\OidcIdpSignedAssertionProviderTests.csproj", "{E927D215-A96C-626C-9A1A-CF99876FE7B4}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.Identity.Web.OidcFIC", "src\Microsoft.Identity.Web.OidcFIC\Microsoft.Identity.Web.OidcFIC.csproj", "{8DA7A2C6-00D4-4CF1-8145-448D7B7B4E5A}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -369,6 +373,14 @@ Global
 		{4D67BE6A-79CD-42E7-8748-C909FCC394DF}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{4D67BE6A-79CD-42E7-8748-C909FCC394DF}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{4D67BE6A-79CD-42E7-8748-C909FCC394DF}.Release|Any CPU.Build.0 = Release|Any CPU
+		{E927D215-A96C-626C-9A1A-CF99876FE7B4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{E927D215-A96C-626C-9A1A-CF99876FE7B4}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{E927D215-A96C-626C-9A1A-CF99876FE7B4}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{E927D215-A96C-626C-9A1A-CF99876FE7B4}.Release|Any CPU.Build.0 = Release|Any CPU
+		{8DA7A2C6-00D4-4CF1-8145-448D7B7B4E5A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{8DA7A2C6-00D4-4CF1-8145-448D7B7B4E5A}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{8DA7A2C6-00D4-4CF1-8145-448D7B7B4E5A}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{8DA7A2C6-00D4-4CF1-8145-448D7B7B4E5A}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -440,6 +452,8 @@ Global
 		{A390650C-BCE1-4CB3-8C97-9EF9CFF5B7C5} = {45B20A78-91F8-4DD2-B9AD-F12D3A93536C}
 		{4D67BE6A-79CD-42E7-8748-C909FCC394DF} = {02EA681E-C7D8-13C7-8484-4AC65E1B71E8}
 		{02EA681E-C7D8-13C7-8484-4AC65E1B71E8} = {7786D2DD-9EE4-42E1-B587-740A2E15C41D}
+		{E927D215-A96C-626C-9A1A-CF99876FE7B4} = {45B20A78-91F8-4DD2-B9AD-F12D3A93536C}
+		{8DA7A2C6-00D4-4CF1-8145-448D7B7B4E5A} = {1DDE1AAC-5AE6-4725-94B6-A26C58D3423F}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {104367F1-CE75-4F40-B32F-F14853973187}

src/Microsoft.Identity.Web.OidcFIC/Microsoft.Identity.Web.OidcFIC.csproj

@@ -0,0 +1,32 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+
+    <Title>Microsoft Identity Web Token Cross Cloud Federation Identity Credential (FIC) support</Title>
+    <Product>Microsoft Identity Web Cross Cloud FIC</Product>
+    <Description>Implementation for a Cloud Federation Identity Credential (FIC) credential provider.</Description>
+    <ProjectGuid>{8DA7A2C6-00D4-4CF1-8145-448D7B7B4E5A}</ProjectGuid>
+    <PackageReadmeFile>README.md</PackageReadmeFile>
+
+    <!-- Until it releases-->
+    <EnablePackageValidation>false</EnablePackageValidation>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <None Include="..\..\README.md">
+      <Pack>True</Pack>
+      <PackagePath>\</PackagePath>
+    </None>
+  </ItemGroup>
+  
+  <ItemGroup>
+    <ProjectReference Include="..\Microsoft.Identity.Web.TokenAcquisition\Microsoft.Identity.Web.TokenAcquisition.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <AdditionalFiles Include="PublicAPI/$(TargetFramework)/PublicAPI.Shipped.txt" />
+    <AdditionalFiles Include="PublicAPI/$(TargetFramework)/PublicAPI.Unshipped.txt" />
+    <AdditionalFiles Include="PublicAPI/$(TargetFramework)/InternalAPI.Shipped.txt" />
+    <AdditionalFiles Include="PublicAPI/$(TargetFramework)/InternalAPI.Unshipped.txt" />
+  </ItemGroup>
+  
+</Project>

src/Microsoft.Identity.Web.OidcFIC/OidcFicSignedAssertionProviderExtensions.cs

@@ -0,0 +1,26 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.Identity.Abstractions;
+using Microsoft.Identity.Web.OidcFic;
+
+namespace Microsoft.Extensions.DependencyInjection
+{
+    /// <summary>
+    /// Extension class to add OIDC FIC signed assertion provider to the service collection
+    ///
+    /// </summary>
+    public static class OidcFicSignedAssertionProviderExtensions
+    {
+        /// <summary>
+        /// Adds OIDC FIC signed assertion provider to the service collection
+        /// </summary>
+        /// <param name="services">service collection</param>
+        /// <returns>the service collection for chaining.</returns>
+        public static IServiceCollection AddOidcFic(this IServiceCollection services)
+        {
+            services.AddSingleton<ICustomSignedAssertionProvider, OidcIdpSignedAssertionLoader>();
+            return services;
+        }
+    }
+}

src/Microsoft.Identity.Web.OidcFIC/OidcIdpSignedAssertionLoader.cs

@@ -0,0 +1,87 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Microsoft.Identity.Abstractions;
+
+namespace Microsoft.Identity.Web.OidcFic
+{
+    internal class OidcIdpSignedAssertionLoader : ICustomSignedAssertionProvider
+    {
+        private readonly ILogger<OidcIdpSignedAssertionLoader> _logger;
+        private readonly IOptionsMonitor<MicrosoftIdentityApplicationOptions> _options;
+        private readonly IConfiguration _configuration;
+        private readonly ITokenAcquirerFactory _tokenAcquirerFactory;
+
+        public OidcIdpSignedAssertionLoader(ILogger<OidcIdpSignedAssertionLoader> logger,
+            IOptionsMonitor<MicrosoftIdentityApplicationOptions> options,
+            IConfiguration configuration,
+            ITokenAcquirerFactory tokenAcquirerFactory)
+        {
+            _logger = logger;
+            _options = options;
+            _configuration = configuration;
+            _tokenAcquirerFactory = tokenAcquirerFactory;
+        }
+
+        public CredentialSource CredentialSource => CredentialSource.CustomSignedAssertion;
+
+        public string Name => "OidcIdpSignedAssertion";
+
+
+        public async Task LoadIfNeededAsync(CredentialDescription credentialDescription, CredentialSourceLoaderParameters? parameters = null)
+        {
+            OidcIdpSignedAssertionProvider? signedAssertion = credentialDescription.CachedValue as OidcIdpSignedAssertionProvider;
+            if (credentialDescription.CachedValue == null)
+            {
+                if (credentialDescription.CustomSignedAssertionProviderData == null)
+                {
+                    if (_logger != null)
+                    {
+                        _logger.LogError(42, "CustomSignedAssertionProviderData is null");
+                    }
+                    throw new InvalidOperationException("CustomSignedAssertionProviderData is null");
+                }
+
+                string? sectionName = credentialDescription.CustomSignedAssertionProviderData["ConfigurationSection"] as string;
+                if (sectionName == null)
+                {
+                    if (_logger != null)
+                    {
+                        _logger.LogError(42, "ConfigurationSection is null");
+                    }
+                    throw new InvalidOperationException("ConfigurationSection is null");
+                }
+
+                MicrosoftIdentityApplicationOptions microsoftIdentityApplicationOptions = _options.Get(sectionName);
+                
+                if (string.IsNullOrEmpty(microsoftIdentityApplicationOptions.Instance) && microsoftIdentityApplicationOptions.Authority == "//v2.0")
+                {
+                    _configuration.GetSection(sectionName).Bind(microsoftIdentityApplicationOptions);
+                }
+
+                signedAssertion = new OidcIdpSignedAssertionProvider(_tokenAcquirerFactory, microsoftIdentityApplicationOptions, credentialDescription.TokenExchangeUrl);
+            }
+
+            try
+            {
+                // Try to get a signed assertion, and if it fails, move to the next credentials
+                _ = await signedAssertion!.GetSignedAssertionAsync(null);
+                credentialDescription.CachedValue = signedAssertion;
+            }
+            catch (Exception ex)
+            {
+                if (_logger != null)
+                {
+                    _logger.LogError(42, "Failed to get signed assertion from {ProviderName}. exception occurred: {Message}. Setting skip to true.", credentialDescription.CustomSignedAssertionProviderName, ex.Message);
+                }
+                credentialDescription.Skip = true;
+                throw;
+            }
+        }
+    }
+}

src/Microsoft.Identity.Web.OidcFIC/OidcIdpSignedAssertionProvider.cs

@@ -0,0 +1,47 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Identity.Abstractions;
+using Microsoft.Identity.Client;
+using Microsoft.Identity.Web;
+
+namespace Microsoft.Identity.Web.OidcFic
+{
+    internal class OidcIdpSignedAssertionProvider : ClientAssertionProviderBase
+    {
+        private ITokenAcquirer? _tokenAcquirer = null;
+        private readonly ITokenAcquirerFactory _tokenAcquirerFactory;
+        private readonly MicrosoftIdentityApplicationOptions _options;
+        private readonly string? _tokenExchangeUrl;
+
+        public OidcIdpSignedAssertionProvider(ITokenAcquirerFactory tokenAcquirerFactory, MicrosoftIdentityApplicationOptions options, string? tokenExchangeUrl)
+        {
+            _tokenAcquirerFactory = tokenAcquirerFactory;
+            _options = options;
+            _tokenExchangeUrl = tokenExchangeUrl;
+        }
+
+        protected override async Task<ClientAssertion> GetClientAssertionAsync(AssertionRequestOptions? assertionRequestOptions)
+        {
+            _tokenAcquirer ??= _tokenAcquirerFactory.GetTokenAcquirer(_options);
+
+            string tokenExchangeUrl = _tokenExchangeUrl ?? "api://AzureADTokenExchange";
+
+            AcquireTokenResult result = await _tokenAcquirer.GetTokenForAppAsync(tokenExchangeUrl + "/.default");
+            ClientAssertion clientAssertion;
+            if (result != null)
+            {
+                clientAssertion = new ClientAssertion(result.AccessToken!, result.ExpiresOn);
+            }
+            else
+            {
+                clientAssertion = null!;
+            }
+            return clientAssertion;
+        }
+    }
+}

src/Microsoft.Identity.Web.OidcFIC/PublicAPI/net462/InternalAPI.Shipped.txt

@@ -0,0 +1 @@
+#nullable enable

src/Microsoft.Identity.Web.OidcFIC/PublicAPI/net462/InternalAPI.Unshipped.txt

@@ -0,0 +1,9 @@
+#nullable enable
+Microsoft.Identity.Web.OidcFic.OidcIdpSignedAssertionLoader
+Microsoft.Identity.Web.OidcFic.OidcIdpSignedAssertionLoader.CredentialSource.get -> Microsoft.Identity.Abstractions.CredentialSource
+Microsoft.Identity.Web.OidcFic.OidcIdpSignedAssertionLoader.LoadIfNeededAsync(Microsoft.Identity.Abstractions.CredentialDescription! credentialDescription, Microsoft.Identity.Abstractions.CredentialSourceLoaderParameters? parameters = null) -> System.Threading.Tasks.Task!
+Microsoft.Identity.Web.OidcFic.OidcIdpSignedAssertionLoader.Name.get -> string!
+Microsoft.Identity.Web.OidcFic.OidcIdpSignedAssertionLoader.OidcIdpSignedAssertionLoader(Microsoft.Extensions.Logging.ILogger<Microsoft.Identity.Web.OidcFic.OidcIdpSignedAssertionLoader!>! logger, Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.Identity.Abstractions.MicrosoftIdentityApplicationOptions!>! options, Microsoft.Extensions.Configuration.IConfiguration! configuration, Microsoft.Identity.Abstractions.ITokenAcquirerFactory! tokenAcquirerFactory) -> void
+Microsoft.Identity.Web.OidcFic.OidcIdpSignedAssertionProvider
+Microsoft.Identity.Web.OidcFic.OidcIdpSignedAssertionProvider.OidcIdpSignedAssertionProvider(Microsoft.Identity.Abstractions.ITokenAcquirerFactory! tokenAcquirerFactory, Microsoft.Identity.Abstractions.MicrosoftIdentityApplicationOptions! options, string? tokenExchangeUrl) -> void
+override Microsoft.Identity.Web.OidcFic.OidcIdpSignedAssertionProvider.GetClientAssertionAsync(Microsoft.Identity.Client.AssertionRequestOptions? assertionRequestOptions) -> System.Threading.Tasks.Task<Microsoft.Identity.Web.ClientAssertion!>!

src/Microsoft.Identity.Web.OidcFIC/PublicAPI/net462/PublicAPI.Shipped.txt

@@ -0,0 +1 @@
+#nullable enable

src/Microsoft.Identity.Web.OidcFIC/PublicAPI/net462/PublicAPI.Unshipped.txt

@@ -0,0 +1,3 @@
+#nullable enable
+Microsoft.Extensions.DependencyInjection.OidcFicSignedAssertionProviderExtensions
+static Microsoft.Extensions.DependencyInjection.OidcFicSignedAssertionProviderExtensions.AddOidcFic(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!

src/Microsoft.Identity.Web.OidcFIC/PublicAPI/net472/InternalAPI.Shipped.txt

@@ -0,0 +1 @@
+#nullable enable