Implement MSAL's IMsalSFHttpClientFactory for service fabric scenarios (Azure#49544)

christothes · web-flow · commit cc5a8e088529 · 2025-04-22T16:43:57.000-05:00
diff --git a/eng/Packages.Data.props b/eng/Packages.Data.props
@@ -168,9 +168,9 @@
     <!-- Other approved packages -->
     <PackageReference Update="Microsoft.Azure.Amqp" Version="2.6.9" />
     <PackageReference Update="Microsoft.Azure.WebPubSub.Common" Version="1.4.0" />
-    <PackageReference Update="Microsoft.Identity.Client" Version="4.70.2" />
-    <PackageReference Update="Microsoft.Identity.Client.Extensions.Msal" Version="4.70.2" />
-    <PackageReference Update="Microsoft.Identity.Client.Broker" Version="4.70.2" />
+    <PackageReference Update="Microsoft.Identity.Client" Version="4.71.0" />
+    <PackageReference Update="Microsoft.Identity.Client.Extensions.Msal" Version="4.71.0" />
+    <PackageReference Update="Microsoft.Identity.Client.Broker" Version="4.71.0" />
     <PackageReference Update="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.35.0" />
     <PackageReference Update="Microsoft.IdentityModel.Tokens" Version="6.35.0" />
     <PackageReference Update="System.IdentityModel.Tokens.Jwt" Version="6.35.0" />
diff --git a/sdk/identity/Azure.Identity/src/Azure.Identity.csproj b/sdk/identity/Azure.Identity/src/Azure.Identity.csproj
@@ -21,7 +21,7 @@
   <ItemGroup>
     <PackageReference Include="Azure.Core" />
     <PackageReference Include="System.Memory" />
-    <PackageReference Include="Microsoft.Identity.Client" />
+    <PackageReference Include="Microsoft.Identity.Client" VersionOverride="4.71.1-preview" />
     <PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" />
   </ItemGroup>
   <ItemGroup>
diff --git a/sdk/identity/Azure.Identity/src/CredentialPipeline.cs b/sdk/identity/Azure.Identity/src/CredentialPipeline.cs
@@ -17,6 +17,7 @@ private CredentialPipeline(TokenCredentialOptions options)
         {
             HttpPipeline = HttpPipelineBuilder.Build(new HttpPipelineOptions(options) { RequestFailedDetailsParser = new ManagedIdentityRequestFailedDetailsParser() });
             Diagnostics = new ClientDiagnostics(options);
+            ClientOptions = options;
         }
 
         public CredentialPipeline(HttpPipeline httpPipeline, ClientDiagnostics diagnostics)
@@ -52,6 +53,8 @@ private static CredentialPipeline configureOptionsForManagedIdentity(TokenCreden
 
         public HttpPipeline HttpPipeline { get; }
 
+        public ClientOptions ClientOptions { get; }
+
         public ClientDiagnostics Diagnostics { get; }
 
         public CredentialDiagnosticScope StartGetTokenScope(string fullyQualifiedMethod, TokenRequestContext context)
diff --git a/sdk/identity/Azure.Identity/src/HttpPipelineClientFactory.cs b/sdk/identity/Azure.Identity/src/HttpPipelineClientFactory.cs
@@ -3,32 +3,41 @@
 
 using Azure.Core.Pipeline;
 using Microsoft.Identity.Client;
-using System;
-using System.Collections.Generic;
-using System.Linq;
 using System.Net.Http;
-using System.Text;
-using System.Threading;
-using System.Threading.Tasks;
 using Azure.Core;
+using System;
+using System.Security.Cryptography.X509Certificates;
+using System.Net.Security;
 
 namespace Azure.Identity
 {
     /// <summary>
     /// This class is an HttpClient factory which creates an HttpClient which delegates it's transport to an HttpPipeline, to enable MSAL to send requests through an Azure.Core HttpPipeline.
     /// </summary>
-    internal class HttpPipelineClientFactory : IMsalHttpClientFactory
+    internal class HttpPipelineClientFactory : IMsalSFHttpClientFactory
     {
         private readonly HttpPipeline _pipeline;
+        private readonly ClientOptions _options;
 
-        public HttpPipelineClientFactory(HttpPipeline pipeline)
+        public HttpPipelineClientFactory(HttpPipeline pipeline, ClientOptions options = null)
         {
             _pipeline = pipeline;
+            _options = options ?? new TokenCredentialOptions();
         }
 
         public HttpClient GetHttpClient()
         {
             return new HttpClient(new HttpPipelineMessageHandler(_pipeline));
         }
+
+        public HttpClient GetHttpClient(Func<HttpRequestMessage, X509Certificate2, X509Chain, SslPolicyErrors, bool> validateServerCert)
+        {
+            var pipeline = HttpPipelineBuilder.Build(new HttpPipelineOptions(_options) { RequestFailedDetailsParser = new ManagedIdentityRequestFailedDetailsParser() },
+                new HttpPipelineTransportOptions()
+                {
+                    ServerCertificateCustomValidationCallback = (args) => validateServerCert(null, args.Certificate, args.CertificateAuthorityChain, args.SslPolicyErrors)
+                });
+            return new HttpClient(new HttpPipelineMessageHandler(pipeline));
+        }
     }
 }
diff --git a/sdk/identity/Azure.Identity/src/MsalManagedIdentityClient.cs b/sdk/identity/Azure.Identity/src/MsalManagedIdentityClient.cs
@@ -67,7 +67,7 @@ protected virtual ValueTask<IManagedIdentityApplication> CreateClientCoreAsync(b
 
             ManagedIdentityApplicationBuilder miAppBuilder = ManagedIdentityApplicationBuilder
                 .Create(ManagedIdentityId)
-                .WithHttpClientFactory(new HttpPipelineClientFactory(Pipeline.HttpPipeline), false)
+                .WithHttpClientFactory(new HttpPipelineClientFactory(Pipeline.HttpPipeline, Pipeline.ClientOptions), false)
                 .WithLogging(AzureIdentityEventSource.Singleton, enablePiiLogging: IsSupportLoggingEnabled);
 
             if (clientCapabilities.Length > 0)
diff --git a/sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs b/sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs
@@ -273,7 +273,6 @@ public async Task VerifyServiceFabricRequestWithResourceIdMockAsync(string clien
 
             var mockTransport = new MockTransport(req =>
             {
-                Assert.Fail("transport");
                 return CreateMockResponse(200, ExpectedToken);
             });
             var options = new TokenCredentialOptions { Transport = mockTransport };
@@ -283,8 +282,7 @@ public async Task VerifyServiceFabricRequestWithResourceIdMockAsync(string clien
             {
                 (Item1: null, Item2: true) => new ManagedIdentityClientOptions() { ManagedIdentityId = ManagedIdentityId.FromUserAssignedResourceId(new ResourceIdentifier(_expectedResourceId)), Pipeline = pipeline, IsForceRefreshEnabled = true },
                 (Item1: not null, Item2: false) => new ManagedIdentityClientOptions() { ManagedIdentityId = ManagedIdentityId.FromUserAssignedClientId(clientId), Pipeline = pipeline, IsForceRefreshEnabled = true },
-                _ => null // TODO: remove null logic and uncomment the following line once MSAL is able to take a custom transport for Service Fabric MI source
-                //_ => new ManagedIdentityClientOptions() { ClientId = null, ResourceIdentifier = null, Pipeline = pipeline, Options = options, PreserveTransport = true, IsForceRefreshEnabled = true }
+                _ => new ManagedIdentityClientOptions() { Pipeline = pipeline, Options = options, PreserveTransport = true, IsForceRefreshEnabled = true }
             };
             if (clientOptions == null)
             {

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ private CredentialPipeline(TokenCredentialOptions options)`
`17`	`17`	`{`
`18`	`18`	`HttpPipeline = HttpPipelineBuilder.Build(new HttpPipelineOptions(options) { RequestFailedDetailsParser = new ManagedIdentityRequestFailedDetailsParser() });`
`19`	`19`	`Diagnostics = new ClientDiagnostics(options);`
	`20`	`+ ClientOptions = options;`
`20`	`21`	`}`
`21`	`22`
`22`	`23`	`public CredentialPipeline(HttpPipeline httpPipeline, ClientDiagnostics diagnostics)`
`@@ -52,6 +53,8 @@ private static CredentialPipeline configureOptionsForManagedIdentity(TokenCreden`
`52`	`53`
`53`	`54`	`public HttpPipeline HttpPipeline { get; }`
`54`	`55`
	`56`	`+ public ClientOptions ClientOptions { get; }`
	`57`	`+`
`55`	`58`	`public ClientDiagnostics Diagnostics { get; }`
`56`	`59`
`57`	`60`	`public CredentialDiagnosticScope StartGetTokenScope(string fullyQualifiedMethod, TokenRequestContext context)`
Original file line number	Diff line number	Diff line change
`@@ -273,7 +273,6 @@ public async Task VerifyServiceFabricRequestWithResourceIdMockAsync(string clien`
`273`	`273`
`274`	`274`	`var mockTransport = new MockTransport(req =>`
`275`	`275`	`{`
`276`		`- Assert.Fail("transport");`
`277`	`276`	`return CreateMockResponse(200, ExpectedToken);`
`278`	`277`	`});`
`279`	`278`	`var options = new TokenCredentialOptions { Transport = mockTransport };`
`@@ -283,8 +282,7 @@ public async Task VerifyServiceFabricRequestWithResourceIdMockAsync(string clien`
`283`	`282`	`{`
`284`	`283`	`(Item1: null, Item2: true) => new ManagedIdentityClientOptions() { ManagedIdentityId = ManagedIdentityId.FromUserAssignedResourceId(new ResourceIdentifier(_expectedResourceId)), Pipeline = pipeline, IsForceRefreshEnabled = true },`
`285`	`284`	`(Item1: not null, Item2: false) => new ManagedIdentityClientOptions() { ManagedIdentityId = ManagedIdentityId.FromUserAssignedClientId(clientId), Pipeline = pipeline, IsForceRefreshEnabled = true },`
`286`		`- _ => null // TODO: remove null logic and uncomment the following line once MSAL is able to take a custom transport for Service Fabric MI source`
`287`		`- //_ => new ManagedIdentityClientOptions() { ClientId = null, ResourceIdentifier = null, Pipeline = pipeline, Options = options, PreserveTransport = true, IsForceRefreshEnabled = true }`
	`285`	`+ _ => new ManagedIdentityClientOptions() { Pipeline = pipeline, Options = options, PreserveTransport = true, IsForceRefreshEnabled = true }`
`288`	`286`	`};`
`289`	`287`	`if (clientOptions == null)`
`290`	`288`	`{`