Context
PR #3839 added token-binding (mTLS PoP) support to ManagedIdentityClientAssertion
via two new public virtuals on ClientAssertionProviderBase:
virtual bool SupportsTokenBinding => false;virtual Task<ClientSignedAssertion?> GetSignedAssertionWithBindingAsync(...)
OidcIdpSignedAssertionProvider (in Microsoft.Identity.Web.OidcFIC) inherits
the defaults, so it currently produces bearer-only JWT assertions. Per @bgavrilMS's
PR review, OIDC FIC should also support binding.
This issue tracks that follow-up work, split out of #3839 to keep the MSI scope
landable.
Problem statement
OidcIdpSignedAssertionProvider.GetClientAssertionAsync calls
_tokenAcquirer.GetTokenForAppAsync(...) against an external OIDC IdP and returns
the resulting JWT. To produce a ClientSignedAssertion with a non-null
TokenBindingCertificate, we need a binding cert paired with the OIDC-issued
assertion — but the external OIDC IdP cannot itself issue that cert.
Open design question
Where does the binding certificate come from when the assertion is OIDC-issued?
Three options to evaluate:
- Paired credential — declarative config lists an OIDC FIC credential
alongside a cert/KeyGuard credential; provider stitches the two together.
- OidcFIC-owned cert source — provider owns a key (KeyGuard / cert store /
ephemeral) and produces the cert internally.
- New abstraction —
IBindingCertificateSource injectable into the
provider, decoupling assertion source from cert source.
@bgavrilMS — would appreciate your steer on the preferred shape before we cut
code.
Acceptance criteria
References
Context
PR #3839 added token-binding (mTLS PoP) support to
ManagedIdentityClientAssertionvia two new public virtuals on
ClientAssertionProviderBase:virtual bool SupportsTokenBinding => false;virtual Task<ClientSignedAssertion?> GetSignedAssertionWithBindingAsync(...)OidcIdpSignedAssertionProvider(inMicrosoft.Identity.Web.OidcFIC) inheritsthe defaults, so it currently produces bearer-only JWT assertions. Per @bgavrilMS's
PR review, OIDC FIC should also support binding.
This issue tracks that follow-up work, split out of #3839 to keep the MSI scope
landable.
Problem statement
OidcIdpSignedAssertionProvider.GetClientAssertionAsynccalls_tokenAcquirer.GetTokenForAppAsync(...)against an external OIDC IdP and returnsthe resulting JWT. To produce a
ClientSignedAssertionwith a non-nullTokenBindingCertificate, we need a binding cert paired with the OIDC-issuedassertion — but the external OIDC IdP cannot itself issue that cert.
Open design question
Where does the binding certificate come from when the assertion is OIDC-issued?
Three options to evaluate:
alongside a cert/KeyGuard credential; provider stitches the two together.
ephemeral) and produces the cert internally.
IBindingCertificateSourceinjectable into theprovider, decoupling assertion source from cert source.
@bgavrilMS — would appreciate your steer on the preferred shape before we cut
code.
Acceptance criteria
OidcIdpSignedAssertionProvideroverridesSupportsTokenBindingandGetSignedAssertionWithBindingAsync.ClientSignedAssertion.TokenBindingCertificateis non-null andusable by MSAL's
WithMtlsProofOfPossession().assertion/cert mismatch.
References
SupportsTokenBindingextension pointsrc/Microsoft.Identity.Web.OidcFIC/OidcIdpSignedAssertionProvider.cs— targetsrc/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs—reference impl pattern