Merge branch 'main' into rginsburg/imds_probing

Author: Robbie-Microsoft

CHANGELOG.md

@@ -1,3 +1,11 @@
+4.79.2
+======
+
+### Bug fixes
+* Bump winsdk dependency  [#5575](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5575)
+* ImdsV2 probe does not fire when .WithMtlsProofOfPossesstion is not used [#5579](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5579)
+* Downgrade System.Formats.Asn1 to match ID web [#5583](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5583)
+
 4.79.0
 ======
 
@@ -6,13 +14,15 @@
 * Bearer Requests should Fallback to IMDS in Preview in https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5562
 * Updating MSAL to send client info = 2 on client credential flow in https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5529
 * Make `IMsalMtlsHttpClientFactory` interface public in https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5559* Adjust WithExtraQueryParameters APIs and cache key behavior https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5536
+* Adjust WithExtraQueryParameters APIs and cache key behavior [#5536](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5536)
 
 ### Bug fixes 
 * Fix instance discovery bug in Fr cloud [#5549](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5549)
 * Mark WithClientAssertion  API as experimental [#5551](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5551)
 
 
 
+
 4.78.0
 ======
 ### Changes

LibsAndSamples.sln

@@ -1,7 +1,7 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Version 17
-VisualStudioVersion = 17.3.32708.82
+# Visual Studio Version 18
+VisualStudioVersion = 18.0.11217.181 d18.0
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "tests", "tests", "{9B0B5396-4D95-4C15-82ED-DC22B5A3123F}"
 	ProjectSection(SolutionItems) = preProject
@@ -117,8 +117,6 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Identity.Client.D
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "WinFormsTestApp", "tests\devapps\WinFormsTestApp\WinFormsTestApp.csproj", "{F8C7D894-8B2F-4A1E-9D3C-5E4F7B8A9C6D}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "KerberosConsole", "tests\devapps\KerberosConsole\KerberosConsole.csproj", "{94F35780-220A-4C08-83B9-41168F7017CD}"
-EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Net5TestApp", "tests\devapps\Net5TestApp\Net5TestApp.csproj", "{998D38B3-344C-4F19-833E-6181B0834AF6}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "WebApi", "WebApi", "{CC07F293-91B9-45A3-AA3A-77885BBCB624}"
@@ -1050,47 +1048,6 @@ Global
 		{F8C7D894-8B2F-4A1E-9D3C-5E4F7B8A9C6D}.Release|x64.Build.0 = Release|x64
 		{F8C7D894-8B2F-4A1E-9D3C-5E4F7B8A9C6D}.Release|x86.ActiveCfg = Release|x86
 		{F8C7D894-8B2F-4A1E-9D3C-5E4F7B8A9C6D}.Release|x86.Build.0 = Release|x86
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug + MobileApps|Any CPU.ActiveCfg = Debug + MobileApps|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug + MobileApps|Any CPU.Build.0 = Debug + MobileApps|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug + MobileApps|ARM.ActiveCfg = Debug + MobileApps|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug + MobileApps|ARM.Build.0 = Debug + MobileApps|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug + MobileApps|ARM64.ActiveCfg = Debug + MobileApps|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug + MobileApps|ARM64.Build.0 = Debug + MobileApps|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug + MobileApps|iPhone.ActiveCfg = Debug + MobileApps|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug + MobileApps|iPhone.Build.0 = Debug + MobileApps|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug + MobileApps|iPhoneSimulator.ActiveCfg = Debug + MobileApps|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug + MobileApps|iPhoneSimulator.Build.0 = Debug + MobileApps|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug + MobileApps|x64.ActiveCfg = Debug + MobileApps|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug + MobileApps|x64.Build.0 = Debug + MobileApps|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug + MobileApps|x86.ActiveCfg = Debug + MobileApps|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug + MobileApps|x86.Build.0 = Debug + MobileApps|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug|ARM.ActiveCfg = Debug|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug|ARM.Build.0 = Debug|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug|ARM64.ActiveCfg = Debug|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug|ARM64.Build.0 = Debug|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug|iPhone.ActiveCfg = Debug|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug|iPhone.Build.0 = Debug|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug|iPhoneSimulator.ActiveCfg = Debug|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug|iPhoneSimulator.Build.0 = Debug|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug|x64.ActiveCfg = Debug|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug|x64.Build.0 = Debug|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Debug|x86.Build.0 = Debug|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Release|ARM.ActiveCfg = Release|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Release|ARM.Build.0 = Release|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Release|ARM64.ActiveCfg = Release|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Release|ARM64.Build.0 = Release|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Release|iPhone.ActiveCfg = Release|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Release|iPhone.Build.0 = Release|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Release|iPhoneSimulator.ActiveCfg = Release|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Release|iPhoneSimulator.Build.0 = Release|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Release|x64.ActiveCfg = Release|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Release|x64.Build.0 = Release|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Release|x86.ActiveCfg = Release|Any CPU
-		{94F35780-220A-4C08-83B9-41168F7017CD}.Release|x86.Build.0 = Release|Any CPU
 		{998D38B3-344C-4F19-833E-6181B0834AF6}.Debug + MobileApps|Any CPU.ActiveCfg = Debug + MobileApps|Any CPU
 		{998D38B3-344C-4F19-833E-6181B0834AF6}.Debug + MobileApps|Any CPU.Build.0 = Debug + MobileApps|Any CPU
 		{998D38B3-344C-4F19-833E-6181B0834AF6}.Debug + MobileApps|ARM.ActiveCfg = Debug + MobileApps|Any CPU
@@ -2062,7 +2019,6 @@ Global
 		{A7679FF0-19E8-41E3-9F7C-F54235124CC4} = {1A37FD75-94E9-4D6F-953A-0DABBD7B49E9}
 		{B8689FF1-20F9-4669-CF55-9B2E8B5F8DD5} = {1A37FD75-94E9-4D6F-953A-0DABBD7B49E9}
 		{F8C7D894-8B2F-4A1E-9D3C-5E4F7B8A9C6D} = {34BE693E-3496-45A4-B1D2-D3A0E068EEDB}
-		{94F35780-220A-4C08-83B9-41168F7017CD} = {34BE693E-3496-45A4-B1D2-D3A0E068EEDB}
 		{998D38B3-344C-4F19-833E-6181B0834AF6} = {384BA371-F17F-4A70-9423-D54F71BB3FCB}
 		{CC07F293-91B9-45A3-AA3A-77885BBCB624} = {34BE693E-3496-45A4-B1D2-D3A0E068EEDB}
 		{DD23D8FF-86BA-4E9F-8AF1-0EBE0D86986A} = {CC07F293-91B9-45A3-AA3A-77885BBCB624}

docs/msi_v2/cert_handling.md

@@ -0,0 +1,78 @@
+# Certificate Handling on Windows for MSI v2 / PoP
+
+## Overview
+In the MSI v2 flow, the client must present a certificate over mTLS.  
+The certificate itself is the **credential** for this flow.  
+
+Currently, the certificate is stored only in memory.  
+To reduce repeated calls to IMDS and enable reuse across requests,  
+the certificate should be **rooted (persisted)** in the Windows certificate store.
+
+## 1. Certificate Store Location
+- Use the **Windows Certificate Store**.
+- Scope: **CurrentUser\My** store (per-user, not global).
+- This provides:
+  - Secure key isolation (KeyGuard).
+  - OS-enforced ACLs instead of manual file permissions.
+
+---
+
+## 2. Certificate Lifecycle
+
+1. **Check Cert Store**  
+   - Look in `CurrentUser\My` for an MSI certificate.  
+   - Identify by subject and issuer.
+   - If found and not expired → load it.  
+
+2. **No Valid Certificate**  
+   - Generate a key pair (RSA) in KeyGuard (for POP).
+   - Get an attestation token for the key. 
+   - Create CSR in memory.  
+   - Call **IMDS issuecredential** endpoint.  
+   - Receive certificate from IMDS.  
+
+3. **Persist the Certificate**  
+   - Store the new certificate (with private key) in `CurrentUser\My`.  
+   - Mark the key as **non-exportable**.  (uses KeyGuard keys - already non-exportable)
+
+4. **Use Certificate**  
+   - Load cert from store as needed.  
+   - Use it for mTLS handshake.  
+
+---
+
+## 3. Expiration and Renewal
+- Certificates are short-lived (7 days).  
+- Always check expiration before use.  
+- If expired or close to expiry:  
+  - Remove stale cert from store.  
+  - Acquire and persist a new cert from IMDS.  
+
+### Proactive Renewal: Start renewal at half the certificate lifetime (typically, 3.5 days) to avoid expiry during active sessions.
+
+**This is calculated based on the certificate’s NotAfter property (expiration date).**
+---
+
+## 4. Error Handling
+- If store entry is corrupt → remove it and fetch new cert.  
+- If IMDS call fails → bubble up error to caller.  
+
+---
+
+# Certificate Store Location in Linux 
+- Rely on .NET’s X509Store abstractions for per-user certificate storage. The framework handles platform-specific details.”
+
+---
+
+## 5. Security Considerations
+- Private keys must be generated in **CNG/KeyGuard** with `ExportPolicy = None`.  
+- Keys should **never** be exported or persisted outside the Windows certificate store.  
+- `CurrentUser\My` is scoped to the signed-in user.  
+
+---
+
+## ✅ Summary
+- Always **check Windows cert store first** (`CurrentUser\My`).  
+- If no valid cert, **request one from IMDS**.  
+- **Persist it** back into the store securely.  
+- **Refresh on expiration**.  

tests/Microsoft.Identity.Test.LabInfrastructure/CertificateHelper.cs

@@ -36,7 +36,7 @@ public static X509Certificate2 FindCertificateByName(string subjectName)
         /// <param subjectName="location"><see cref="StoreLocation"/> in which to search for a matching certificate</param>
         /// <param subjectName="name"><see cref="StoreName"/> in which to search for a matching certificate</param>
         /// <returns><see cref="X509Certificate2"/> with <paramref subjectName="certName"/>, or null if no matching certificate was found</returns>
-        public static X509Certificate2 FindCertificateByName(string certName, StoreLocation location, StoreName name)
+        private static X509Certificate2 FindCertificateByName(string certName, StoreLocation location, StoreName name)
         {
             // Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores
             if (SharedUtilities.IsLinuxPlatform())

tests/Microsoft.Identity.Test.LabInfrastructure/KeyVaultConfiguration.cs

@@ -29,33 +29,7 @@ public class KeyVaultSecretsProvider : IDisposable
         private CertificateClient _certificateClient;
         private SecretClient _secretClient;
 
-        /// <summary>Initialize the secrets provider with the "keyVault" configuration section.</summary>
-        /// <remarks>
-        /// <para>
-        /// Authentication using <see cref="LabAccessAuthenticationType.ClientCertificate"/>
-        ///     1. Register Azure AD application of "Web app / API" type.
-        ///        To set up certificate based access to the application PowerShell should be used.
-        ///     2. Add an access policy entry to target Key Vault instance for this application.
-        ///
-        ///     The "keyVault" configuration section should define:
-        ///         "authType": "ClientCertificate"
-        ///         "clientId": [client ID]
-        ///         "certThumbprint": [certificate thumbprint]
-        /// </para>
-        /// <para>
-        /// Authentication using <see cref="LabAccessAuthenticationType.UserCredential"/>
-        ///     1. Register Azure AD application of "Native" type.
-        ///     2. Add to 'Required permissions' access to 'Azure Key Vault (AzureKeyVault)' API.
-        ///     3. When you run your native client application, it will automatically prompt user to enter Azure AD credentials.
-        ///     4. To successfully access keys/secrets in the Key Vault, the user must have specific permissions to perform those operations.
-        ///        This could be achieved by directly adding an access policy entry to target Key Vault instance for this user
-        ///        or an access policy entry for an Azure AD security group of which this user is a member of.
-        ///
-        ///     The "keyVault" configuration section should define:
-        ///         "authType": "UserCredential"
-        ///         "clientId": [client ID]
-        /// </para>
-        /// </remarks>
+        
         public KeyVaultSecretsProvider(string keyVaultAddress = KeyVaultInstance.MSIDLab)
         {
             var credentials = GetKeyVaultCredentialAsync().GetAwaiter().GetResult();

tests/Microsoft.Identity.Test.LabInfrastructure/KeyVaultSecretsProvider.cs

@@ -70,10 +70,4 @@ public static async Task<AccessToken> GetLabAccessTokenAsync(string authority, s
         }
     }
 
-    public enum LabAccessAuthenticationType
-    {
-        ClientCertificate,
-        ClientSecret,
-        UserCredential
-    }
 }

tests/Microsoft.Identity.Test.LabInfrastructure/LabAuthenticationHelper.cs

@@ -26,16 +26,12 @@ public class LabApp
         [JsonProperty("redirecturi")]
         public string RedirectUri { get; set; }
 
-        [JsonProperty("signinaudience")]
-        public string Audience { get; set; }
-
         // TODO: this is a list, but lab sends a string. Not used today, discuss with lab to return a list
         [JsonProperty("authority")]
         public string Authority { get; set; }
 
         [JsonProperty("defaultscopes")]
         public string DefaultScopes { get; set; }
-
     }
 
     public class Lab
@@ -46,16 +42,7 @@ public class Lab
         [JsonProperty("federationprovider")]
         public FederationProvider FederationProvider { get; set; }
 
-        [JsonProperty("credentialvaultkeyname")]
-        public string CredentialVaultkeyName { get; set; }
-
         [JsonProperty("authority")]
         public string Authority { get; set; }
     }
-
-    public class LabCredentialResponse
-    {
-        [JsonProperty("Value")]
-        public string Secret { get; set; }
-    }
 }

tests/Microsoft.Identity.Test.LabInfrastructure/LabResponse.cs

@@ -75,35 +75,13 @@ private Task<string> RunQueryAsync(UserQuery query)
             if (string.IsNullOrEmpty(query.Upn))
             {
                 //Building user query
-                //Required parameters will be set to default if not supplied by the test code
-
-                queryDict.Add(
-                    LabApiConstants.MultiFactorAuthentication, 
-                    query.MFA != null ? 
-                        query.MFA.ToString() : 
-                        MFA.None.ToString());
-
-                queryDict.Add(
-                    LabApiConstants.ProtectionPolicy, 
-                    query.ProtectionPolicy != null ? 
-                        query.ProtectionPolicy.ToString() : 
-                        ProtectionPolicy.None.ToString());
-
+                //Required parameters will be set to default if not supplied by the test code               
+               
                 if (query.UserType != null)
                 {
                     queryDict.Add(LabApiConstants.UserType, query.UserType.ToString());
                 }
-
-                if (query.HomeDomain != null)
-                {
-                    queryDict.Add(LabApiConstants.HomeDomain, query.HomeDomain.ToString());
-                }
-
-                if (query.HomeUPN != null)
-                {
-                    queryDict.Add(LabApiConstants.HomeUPN, query.HomeUPN.ToString());
-                }
-
+             
                 if (query.B2CIdentityProvider != null)
                 {
                     queryDict.Add(LabApiConstants.B2CProvider, query.B2CIdentityProvider.ToString());
@@ -168,17 +146,6 @@ internal async Task<string> GetLabResponseAsync(string address)
             }
         }
 
-        public async Task<string> GetUserSecretAsync(string lab)
-        {
-            Dictionary<string, string> queryDict = new Dictionary<string, string>
-            {
-                { "secret", lab }
-            };
-
-            string result = await SendLabRequestAsync(LabApiConstants.LabUserCredentialEndpoint, queryDict).ConfigureAwait(false);
-            return JsonConvert.DeserializeObject<LabCredentialResponse>(result).Secret;
-        }
-
         public async Task<string> GetMSIHelperServiceTokenAsync()
         {
             if (_msiHelperApiAccessToken == null)

tests/Microsoft.Identity.Test.LabInfrastructure/LabServiceApi.cs

@@ -18,18 +18,6 @@ public class LabUser
         [JsonProperty("upn")]
         public string Upn { get; set; }
 
-        [JsonProperty("displayname")]
-        public string DisplayName { get; set; }
-
-        [JsonProperty("mfa")]
-        public MFA Mfa { get; set; }
-
-        [JsonProperty("protectionpolicy")]
-        public ProtectionPolicy ProtectionPolicy { get; set; }
-
-        [JsonProperty("homedomain")]
-        public HomeDomain HomeDomain { get; set; }
-
         [JsonProperty("homeupn")]
         public string HomeUPN { get; set; }
 
@@ -41,8 +29,6 @@ public class LabUser
 
         public FederationProvider FederationProvider { get; set; }
 
-        public string Credential { get; set; }
-
         public string TenantId { get; set; }
 
         private string _password = null;