Skip to content

Add token binding #3622

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 31 commits into
base: master
Choose a base branch
from
Open

Add token binding #3622

wants to merge 31 commits into from

Conversation

@cpp11nullptr
Copy link

@cpp11nullptr cpp11nullptr commented Nov 24, 2025

Purpose

Introduce a “token binding scenario” for confidential client (app-only) token acquisition and downstream API calls:

  • Bind access tokens to a client certificate (expected cnf claim – thumbprint / key reference).
  • Use mutual TLS (mTLS) when calling downstream APIs.
  • Support Bearer / PoP / mTLS protocol selection via AuthorizationHeaderProviderOptions.ProtocolScheme.
  • Provide a service collection extension (one-line enablement) wiring token acquisition + binding + downstream calls.

High-level scenario

  1. Developer enables token binding scenario via new service collection extension (PR states: “add service collection extension to enable token binding”).
  2. A binding certificate is sourced from ClientCredentials (direct cert or via Managed Identity).
  3. Developer specifies a protocol scheme (e.g. ProtocolScheme = "Pop" or future ProtocolScheme = "mtls-pop" / "mtls") in AuthorizationHeaderProviderOptions.
  4. Token acquisition (client credentials flow) is configured accordingly; Entra ID returns a token containing a binding claim (cnf) when certificate binding is active.
  5. The authorization header provider produces the header (currently Bearer <token>; protocol-specific transformations for schemes like Pop are applied internally).
  6. An mTLS-capable HTTP client presents the same certificate during TLS handshake.
  7. Downstream API validates that presented client certificate matches token’s cnf claim (x5t thumbprint).
  8. Fallback path: if no certificate is available (or protocol does not require it), a regular unbound token is retrieved.

Zhenya Polyvanyi and others added 19 commits November 5, 2025 19:09
Implement mTLS HTTP client factory
f97d2b2
Implement authorization header provider for token with binding certif…
77bbd55 
…icate
Add unit tests for downstream API changes
869484f
Add token binding to token acquisition flow
d2cf9af
Merge branch 'master' into iepoly/add-token-binding-scenario
bd33d88
@cpp11nullptr @jmprieur
Update src/Microsoft.Identity.Web.DownstreamApi/DownstreamApi.cs
16fe5a9 
Co-authored-by: Jean-Marc Prieur <[email protected]>
@cpp11nullptr @jmprieur
Update src/Microsoft.Identity.Web.DownstreamApi/DownstreamApi.cs
d8bcba1 
Co-authored-by: Jean-Marc Prieur <[email protected]>
Commit changes after code review comments
5591d8d
Merge branch 'iepoly/add-token-binding-scenario' of https://github.co…
50e38f3 
…m/cpp11nullptr/microsoft-identity-web into iepoly/add-token-binding-scenario
Exclude net462 from condition for SUPPORTS_MTLS
d33b389
Merge branch 'master' into iepoly/add-token-binding-scenario
323f1db
@cpp11nullptr
Apply suggestions from code review
6377bcf 
Co-authored-by: Copilot <[email protected]>
Set token binding flow through token acquisition extra parameters
b316bd2
Merge branch 'iepoly/add-token-binding-scenario' of https://github.co…
b814843 
…m/cpp11nullptr/microsoft-identity-web into iepoly/add-token-binding-scenario
Fix typo in comment
3351aaa
Merge branch 'master' into iepoly/add-token-binding-scenario
817d593
Update unit tests
7917c69
Add E2E test for token acquirer
672346b
Add mTLS PoP client and web API samples
becef8a
@cpp11nullptr cpp11nullptr requested a review from a team as a code owner November 24, 2025 14:54
@cpp11nullptr cpp11nullptr mentioned this pull request Nov 24, 2025
Closed
bgavrilMS
bgavrilMS reviewed Nov 28, 2025
View reviewed changes
bgavrilMS
bgavrilMS reviewed Nov 28, 2025
View reviewed changes
jmprieur
jmprieur requested changes Nov 28, 2025
View reviewed changes
Copy link
Collaborator

@jmprieur jmprieur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've left comments. there are changes to make

MZOLN
MZOLN reviewed Dec 1, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bgavrilMS bgavrilMS bgavrilMS left review comments

@MZOLN MZOLN MZOLN left review comments

@jmprieur jmprieur jmprieur requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@cpp11nullptr @bgavrilMS @jmprieur @MZOLN