Merge branch 'main' into main

Author: DharshanBJ

CHANGELOG.md

@@ -1,3 +1,11 @@
+4.79.2
+======
+
+### Bug fixes
+* Bump winsdk dependency  [#5575](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5575)
+* ImdsV2 probe does not fire when .WithMtlsProofOfPossesstion is not used [#5579](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5579)
+* Downgrade System.Formats.Asn1 to match ID web [#5583](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5583)
+
 4.79.0
 ======
 
@@ -6,13 +14,15 @@
 * Bearer Requests should Fallback to IMDS in Preview in https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5562
 * Updating MSAL to send client info = 2 on client credential flow in https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5529
 * Make `IMsalMtlsHttpClientFactory` interface public in https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5559* Adjust WithExtraQueryParameters APIs and cache key behavior https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5536
+* Adjust WithExtraQueryParameters APIs and cache key behavior [#5536](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5536)
 
 ### Bug fixes 
 * Fix instance discovery bug in Fr cloud [#5549](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5549)
 * Mark WithClientAssertion  API as experimental [#5551](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5551)
 
 
 
+
 4.78.0
 ======
 ### Changes

docs/msi_v2/cert_handling.md

@@ -0,0 +1,78 @@
+# Certificate Handling on Windows for MSI v2 / PoP
+
+## Overview
+In the MSI v2 flow, the client must present a certificate over mTLS.  
+The certificate itself is the **credential** for this flow.  
+
+Currently, the certificate is stored only in memory.  
+To reduce repeated calls to IMDS and enable reuse across requests,  
+the certificate should be **rooted (persisted)** in the Windows certificate store.
+
+## 1. Certificate Store Location
+- Use the **Windows Certificate Store**.
+- Scope: **CurrentUser\My** store (per-user, not global).
+- This provides:
+  - Secure key isolation (KeyGuard).
+  - OS-enforced ACLs instead of manual file permissions.
+
+---
+
+## 2. Certificate Lifecycle
+
+1. **Check Cert Store**  
+   - Look in `CurrentUser\My` for an MSI certificate.  
+   - Identify by subject and issuer.
+   - If found and not expired → load it.  
+
+2. **No Valid Certificate**  
+   - Generate a key pair (RSA) in KeyGuard (for POP).
+   - Get an attestation token for the key. 
+   - Create CSR in memory.  
+   - Call **IMDS issuecredential** endpoint.  
+   - Receive certificate from IMDS.  
+
+3. **Persist the Certificate**  
+   - Store the new certificate (with private key) in `CurrentUser\My`.  
+   - Mark the key as **non-exportable**.  (uses KeyGuard keys - already non-exportable)
+
+4. **Use Certificate**  
+   - Load cert from store as needed.  
+   - Use it for mTLS handshake.  
+
+---
+
+## 3. Expiration and Renewal
+- Certificates are short-lived (7 days).  
+- Always check expiration before use.  
+- If expired or close to expiry:  
+  - Remove stale cert from store.  
+  - Acquire and persist a new cert from IMDS.  
+
+### Proactive Renewal: Start renewal at half the certificate lifetime (typically, 3.5 days) to avoid expiry during active sessions.
+
+**This is calculated based on the certificate’s NotAfter property (expiration date).**
+---
+
+## 4. Error Handling
+- If store entry is corrupt → remove it and fetch new cert.  
+- If IMDS call fails → bubble up error to caller.  
+
+---
+
+# Certificate Store Location in Linux 
+- Rely on .NET’s X509Store abstractions for per-user certificate storage. The framework handles platform-specific details.”
+
+---
+
+## 5. Security Considerations
+- Private keys must be generated in **CNG/KeyGuard** with `ExportPolicy = None`.  
+- Keys should **never** be exported or persisted outside the Windows certificate store.  
+- `CurrentUser\My` is scoped to the signed-in user.  
+
+---
+
+## ✅ Summary
+- Always **check Windows cert store first** (`CurrentUser\My`).  
+- If no valid cert, **request one from IMDS**.  
+- **Persist it** back into the store securely.  
+- **Refresh on expiration**.  

tests/Microsoft.Identity.Test.LabInfrastructure/CertificateHelper.cs

@@ -36,7 +36,7 @@ public static X509Certificate2 FindCertificateByName(string subjectName)
         /// <param subjectName="location"><see cref="StoreLocation"/> in which to search for a matching certificate</param>
         /// <param subjectName="name"><see cref="StoreName"/> in which to search for a matching certificate</param>
         /// <returns><see cref="X509Certificate2"/> with <paramref subjectName="certName"/>, or null if no matching certificate was found</returns>
-        public static X509Certificate2 FindCertificateByName(string certName, StoreLocation location, StoreName name)
+        private static X509Certificate2 FindCertificateByName(string certName, StoreLocation location, StoreName name)
         {
             // Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores
             if (SharedUtilities.IsLinuxPlatform())

tests/Microsoft.Identity.Test.LabInfrastructure/KeyVaultConfiguration.cs

@@ -29,33 +29,7 @@ public class KeyVaultSecretsProvider : IDisposable
         private CertificateClient _certificateClient;
         private SecretClient _secretClient;
 
-        /// <summary>Initialize the secrets provider with the "keyVault" configuration section.</summary>
-        /// <remarks>
-        /// <para>
-        /// Authentication using <see cref="LabAccessAuthenticationType.ClientCertificate"/>
-        ///     1. Register Azure AD application of "Web app / API" type.
-        ///        To set up certificate based access to the application PowerShell should be used.
-        ///     2. Add an access policy entry to target Key Vault instance for this application.
-        ///
-        ///     The "keyVault" configuration section should define:
-        ///         "authType": "ClientCertificate"
-        ///         "clientId": [client ID]
-        ///         "certThumbprint": [certificate thumbprint]
-        /// </para>
-        /// <para>
-        /// Authentication using <see cref="LabAccessAuthenticationType.UserCredential"/>
-        ///     1. Register Azure AD application of "Native" type.
-        ///     2. Add to 'Required permissions' access to 'Azure Key Vault (AzureKeyVault)' API.
-        ///     3. When you run your native client application, it will automatically prompt user to enter Azure AD credentials.
-        ///     4. To successfully access keys/secrets in the Key Vault, the user must have specific permissions to perform those operations.
-        ///        This could be achieved by directly adding an access policy entry to target Key Vault instance for this user
-        ///        or an access policy entry for an Azure AD security group of which this user is a member of.
-        ///
-        ///     The "keyVault" configuration section should define:
-        ///         "authType": "UserCredential"
-        ///         "clientId": [client ID]
-        /// </para>
-        /// </remarks>
+        
         public KeyVaultSecretsProvider(string keyVaultAddress = KeyVaultInstance.MSIDLab)
         {
             var credentials = GetKeyVaultCredentialAsync().GetAwaiter().GetResult();

tests/Microsoft.Identity.Test.LabInfrastructure/KeyVaultSecretsProvider.cs

@@ -70,10 +70,4 @@ public static async Task<AccessToken> GetLabAccessTokenAsync(string authority, s
         }
     }
 
-    public enum LabAccessAuthenticationType
-    {
-        ClientCertificate,
-        ClientSecret,
-        UserCredential
-    }
 }

tests/Microsoft.Identity.Test.LabInfrastructure/LabAuthenticationHelper.cs

@@ -26,16 +26,12 @@ public class LabApp
         [JsonProperty("redirecturi")]
         public string RedirectUri { get; set; }
 
-        [JsonProperty("signinaudience")]
-        public string Audience { get; set; }
-
         // TODO: this is a list, but lab sends a string. Not used today, discuss with lab to return a list
         [JsonProperty("authority")]
         public string Authority { get; set; }
 
         [JsonProperty("defaultscopes")]
         public string DefaultScopes { get; set; }
-
     }
 
     public class Lab
@@ -46,16 +42,7 @@ public class Lab
         [JsonProperty("federationprovider")]
         public FederationProvider FederationProvider { get; set; }
 
-        [JsonProperty("credentialvaultkeyname")]
-        public string CredentialVaultkeyName { get; set; }
-
         [JsonProperty("authority")]
         public string Authority { get; set; }
     }
-
-    public class LabCredentialResponse
-    {
-        [JsonProperty("Value")]
-        public string Secret { get; set; }
-    }
 }

tests/Microsoft.Identity.Test.LabInfrastructure/LabResponse.cs

@@ -75,35 +75,13 @@ private Task<string> RunQueryAsync(UserQuery query)
             if (string.IsNullOrEmpty(query.Upn))
             {
                 //Building user query
-                //Required parameters will be set to default if not supplied by the test code
-
-                queryDict.Add(
-                    LabApiConstants.MultiFactorAuthentication, 
-                    query.MFA != null ? 
-                        query.MFA.ToString() : 
-                        MFA.None.ToString());
-
-                queryDict.Add(
-                    LabApiConstants.ProtectionPolicy, 
-                    query.ProtectionPolicy != null ? 
-                        query.ProtectionPolicy.ToString() : 
-                        ProtectionPolicy.None.ToString());
-
+                //Required parameters will be set to default if not supplied by the test code               
+               
                 if (query.UserType != null)
                 {
                     queryDict.Add(LabApiConstants.UserType, query.UserType.ToString());
                 }
-
-                if (query.HomeDomain != null)
-                {
-                    queryDict.Add(LabApiConstants.HomeDomain, query.HomeDomain.ToString());
-                }
-
-                if (query.HomeUPN != null)
-                {
-                    queryDict.Add(LabApiConstants.HomeUPN, query.HomeUPN.ToString());
-                }
-
+             
                 if (query.B2CIdentityProvider != null)
                 {
                     queryDict.Add(LabApiConstants.B2CProvider, query.B2CIdentityProvider.ToString());
@@ -168,17 +146,6 @@ internal async Task<string> GetLabResponseAsync(string address)
             }
         }
 
-        public async Task<string> GetUserSecretAsync(string lab)
-        {
-            Dictionary<string, string> queryDict = new Dictionary<string, string>
-            {
-                { "secret", lab }
-            };
-
-            string result = await SendLabRequestAsync(LabApiConstants.LabUserCredentialEndpoint, queryDict).ConfigureAwait(false);
-            return JsonConvert.DeserializeObject<LabCredentialResponse>(result).Secret;
-        }
-
         public async Task<string> GetMSIHelperServiceTokenAsync()
         {
             if (_msiHelperApiAccessToken == null)

tests/Microsoft.Identity.Test.LabInfrastructure/LabServiceApi.cs

@@ -18,18 +18,6 @@ public class LabUser
         [JsonProperty("upn")]
         public string Upn { get; set; }
 
-        [JsonProperty("displayname")]
-        public string DisplayName { get; set; }
-
-        [JsonProperty("mfa")]
-        public MFA Mfa { get; set; }
-
-        [JsonProperty("protectionpolicy")]
-        public ProtectionPolicy ProtectionPolicy { get; set; }
-
-        [JsonProperty("homedomain")]
-        public HomeDomain HomeDomain { get; set; }
-
         [JsonProperty("homeupn")]
         public string HomeUPN { get; set; }
 
@@ -41,8 +29,6 @@ public class LabUser
 
         public FederationProvider FederationProvider { get; set; }
 
-        public string Credential { get; set; }
-
         public string TenantId { get; set; }
 
         private string _password = null;

tests/Microsoft.Identity.Test.LabInfrastructure/LabUser.cs

@@ -136,13 +136,7 @@ private static LabResponse MergeLabResponses(LabResponse primary, LabResponse se
 
             return primaryJson.ToObject<LabResponse>();
         }
-
-        [Obsolete("Use GetSpecificUserAsync instead", true)]
-        public static Task<LabResponse> GetLabUserDataForSpecificUserAsync(string upn)
-        {
-            throw new NotSupportedException();
-        }
-
+     
         public static async Task<string> GetMSIEnvironmentVariablesAsync(string uri)
         {
             string result = await s_labService.GetLabResponseAsync(uri).ConfigureAwait(false);
@@ -187,33 +181,6 @@ public static Task<LabResponse> GetB2CLocalAccountAsync()
             return GetLabUserDataAsync(UserQuery.B2CLocalAccountUserQuery);
         }
 
-        public static Task<LabResponse> GetB2CFacebookAccountAsync()
-        {
-            return GetLabUserDataAsync(UserQuery.B2CFacebookUserQuery);
-        }
-
-        public static Task<LabResponse> GetB2CGoogleAccountAsync()
-        {
-            return GetLabUserDataAsync(UserQuery.B2CGoogleUserQuery);
-        }
-
-        public static async Task<LabResponse> GetB2CMSAAccountAsync()
-        {
-            var response = await GetLabUserDataAsync(UserQuery.B2CMSAUserQuery).ConfigureAwait(false);
-            if (string.IsNullOrEmpty(response.User.HomeUPN) ||
-                string.Equals("None", response.User.HomeUPN, StringComparison.OrdinalIgnoreCase))
-            {
-                Debug.WriteLine($"B2C MSA HomeUPN set to UPN: {response.User.Upn}");
-                response.User.HomeUPN = response.User.Upn;
-            }
-            return response;
-        }
-
-        public static Task<LabResponse> GetSpecificUserAsync(string upn)
-        {
-            return GetLabUserDataAsync(new UserQuery() { Upn = upn });
-        }
-
         public static Task<LabResponse> GetArlingtonUserAsync()
         {
             var response = GetLabUserDataAsync(UserQuery.ArlingtonUserQuery);