Updated httpmanager to support mtls (#4793)

* initial * Add retry policy * Address comments * Update tests to test managed identity retry policy as well --------- Co-authored-by: Gladwin Johnson <[email protected]> Co-authored-by: Neha Bhargava <[email protected]>
AzureAD · Jul 11, 2024 · 5c7c527 · 5c7c527
1 parent 02b6d7e
commit 5c7c527
Show file tree

Hide file tree

Showing 39 changed files with 959 additions and 858 deletions.
diff --git a/build/platform_and_feature_flags.props b/build/platform_and_feature_flags.props
@@ -3,15 +3,18 @@
     <DefineConstants>$(DefineConstants);NET_CORE;SUPPORTS_CONFIDENTIAL_CLIENT;SUPPORTS_CUSTOM_CACHE;SUPPORTS_BROKER;SUPPORTS_WIN32;</DefineConstants>
   </PropertyGroup>
   <PropertyGroup Condition="'$(TargetFramework)' == '$(TargetFrameworkNet6)'" >
-    <DefineConstants>$(DefineConstants);SUPPORTS_SYSTEM_TEXT_JSON</DefineConstants> 
+    <DefineConstants>$(DefineConstants);SUPPORTS_SYSTEM_TEXT_JSON</DefineConstants>
   </PropertyGroup>
-  <PropertyGroup Condition="'$(TargetFramework)' == '$(TargetFrameworkNet6)' or '$(TargetFramework)' == '$(TargetFrameworkNetDesktop462)' or '$(TargetFramework)' == '$(TargetFrameworkNetStandard)'">
+  <PropertyGroup Condition="'$(TargetFramework)' == '$(TargetFrameworkNet6)' or '$(TargetFramework)' == '$(TargetFrameworkNetDesktop462)' or '$(TargetFramework)' == '$(TargetFrameworkNetDesktop472)' or '$(TargetFramework)' == '$(TargetFrameworkNetStandard)'">
     <DefineConstants>$(DefineConstants);SUPPORTS_OTEL;</DefineConstants>
   </PropertyGroup>
+  <PropertyGroup Condition="'$(TargetFramework)' == '$(TargetFrameworkNet6)' or '$(TargetFramework)' == '$(TargetFrameworkNetDesktop472)'">
+    <DefineConstants>$(DefineConstants);SUPPORTS_MTLS;</DefineConstants>
+  </PropertyGroup>
   <PropertyGroup Condition="'$(TargetFramework)' == '$(TargetFrameworkNet6Android)'">
     <DefineConstants>$(DefineConstants);ANDROID;SUPPORTS_BROKER</DefineConstants>
   </PropertyGroup>
-  <PropertyGroup Condition="'$(TargetFramework)' == '$(TargetFrameworkNetDesktop462)'">
+  <PropertyGroup Condition="'$(TargetFramework)' == '$(TargetFrameworkNetDesktop462)' or '$(TargetFramework)' == '$(TargetFrameworkNetDesktop472)'">
     <DefineConstants>$(DefineConstants);SUPPORTS_BROKER;SUPPORTS_CONFIDENTIAL_CLIENT;SUPPORTS_CUSTOM_CACHE;SUPPORTS_WIN32</DefineConstants>
   </PropertyGroup>
   <PropertyGroup Condition="'$(TargetFramework)' == '$(TargetFrameworkNet6Ios)'">

diff --git a/src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenCommonParameters.cs b/src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenCommonParameters.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
 using Microsoft.Identity.Client.AppConfig;
 using Microsoft.Identity.Client.AuthScheme;
@@ -27,6 +28,7 @@ internal class AcquireTokenCommonParameters
         public IDictionary<string, string> ExtraHttpHeaders { get; set; }
         public PoPAuthenticationConfiguration PopAuthenticationConfiguration { get; set; }
         public Func<OnBeforeTokenRequestData, Task> OnBeforeTokenRequestHandler { get; internal set; }
+        public X509Certificate2 MtlsCertificate { get; internal set; }
 
     }
 }
diff --git a/src/client/Microsoft.Identity.Client/AppConfig/IMsalMtlsHttpClientFactory.cs b/src/client/Microsoft.Identity.Client/AppConfig/IMsalMtlsHttpClientFactory.cs
@@ -0,0 +1,31 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Net.Http;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Microsoft.Identity.Client
+{
+    /// <summary>
+    /// Internal factory responsible for creating HttpClient instances configured for mutual TLS (MTLS).
+    /// This factory is specifically intended for use within the MSAL library for secure communication with Azure AD using MTLS.
+    /// For more details on HttpClient instancing, see https://learn.microsoft.com/dotnet/api/system.net.http.httpclient?view=net-7.0#instancing.
+    /// </summary>
+    /// <remarks>
+    /// Implementations of this interface must be thread-safe.
+    /// It is important to reuse HttpClient instances to avoid socket exhaustion.
+    /// Do not create a new HttpClient for each call to <see cref="GetHttpClient(X509Certificate2)"/>.
+    /// If your application requires Integrated Windows Authentication, set <see cref="HttpClientHandler.UseDefaultCredentials"/> to true.
+    /// This interface is intended for internal use by MSAL only and is designed to support MTLS scenarios.
+    /// </remarks>
+    internal interface IMsalMtlsHttpClientFactory : IMsalHttpClientFactory
+    {
+        /// <summary>
+        /// Returns an HttpClient configured with a certificate for mutual TLS authentication.
+        /// This method enables advanced MTLS scenarios within Azure AD communications in MSAL.
+        /// </summary>
+        /// <param name="x509Certificate2">The certificate to be used for MTLS authentication.</param>
+        /// <returns>An HttpClient instance configured with the specified certificate.</returns>
+        HttpClient GetHttpClient(X509Certificate2 x509Certificate2);
+    }
+}