Add extensibility APIs #5573
Add extensibility APIs #5573
Conversation
src/client/Microsoft.Identity.Client/AppConfig/ApplicationConfiguration.cs
Outdated
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/AppConfig/ApplicationConfiguration.cs
Outdated
Show resolved
Hide resolved
...nt/Microsoft.Identity.Client/Extensibility/ConfidentialClientApplicationBuilderExtensions.cs
Outdated
Show resolved
Hide resolved
...nt/Microsoft.Identity.Client/Extensibility/ConfidentialClientApplicationBuilderExtensions.cs
Outdated
Show resolved
Hide resolved
...nt/Microsoft.Identity.Client/Extensibility/ConfidentialClientApplicationBuilderExtensions.cs
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull Request Overview
This PR introduces extensibility APIs for client credential flows, enabling dynamic certificate provisioning, custom retry logic for service failures, and execution observation. The changes support scenarios like certificate rotation from Azure Key Vault and custom telemetry collection.
- Dynamic certificate provider callback that's invoked before each token request
- Retry callback for handling service failures with custom logic
- Execution observer for tracking token acquisition results (success or failure)
Reviewed Changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
src/client/Microsoft.Identity.Client/Extensibility/ClientCredentialExtensionParameters.cs |
New parameter class providing application context to extensibility callbacks |
src/client/Microsoft.Identity.Client/Extensibility/ExecutionResult.cs |
New result class containing either successful AuthenticationResult or exception |
src/client/Microsoft.Identity.Client/Extensibility/ConfidentialClientApplicationBuilderExtensions.cs |
Extension methods for WithCertificate, OnMsalServiceFailure, and OnSuccess |
src/client/Microsoft.Identity.Client/AppConfig/ApplicationConfiguration.cs |
Adds storage for three new extensibility callback properties |
src/client/Microsoft.Identity.Client/Internal/Requests/ClientCredentialRequest.cs |
Implements retry loop and callback invocation logic for token acquisition |
src/client/Microsoft.Identity.Client/Internal/ClientCredential/CertificateAndClaimsClientCredential.cs |
Adds dynamic certificate resolution via provider callback |
src/client/Microsoft.Identity.Client/ApiConfig/AbstractConfidentialClientAcquireTokenParameterBuilder.cs |
Updates validation to allow dynamic certificate provider |
src/client/Microsoft.Identity.Client/MsalError.cs |
Adds error constant for invalid client credential configuration |
tests/Microsoft.Identity.Test.Unit/PublicApiTests/ConfidentialClientApplicationExtensibilityTests.cs |
Comprehensive integration tests for all three extensibility points |
tests/Microsoft.Identity.Test.Unit/AppConfigTests/ConfidentialClientApplicationExtensibilityApiTests.cs |
Unit tests for builder API and configuration storage |
src/client/Microsoft.Identity.Client/PublicApi/*/PublicAPI.Unshipped.txt |
Documents new public API surface for all target frameworks |
src/client/Microsoft.Identity.Client/Microsoft.Identity.Client.csproj |
Adds new extensibility files to project |
src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs |
Modifies exception handling pattern (appears unrelated to extensibility) |
...nt/Microsoft.Identity.Client/Extensibility/ConfidentialClientApplicationBuilderExtensions.cs
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs
Show resolved
Hide resolved
.../Microsoft.Identity.Client/Internal/ClientCredential/CertificateAndClaimsClientCredential.cs
Outdated
Show resolved
Hide resolved
...nt/Microsoft.Identity.Client/Extensibility/ConfidentialClientApplicationBuilderExtensions.cs
Show resolved
Hide resolved
...soft.Identity.Test.Unit/AppConfigTests/ConfidentialClientApplicationExtensibilityApiTests.cs
Show resolved
Hide resolved
...soft.Identity.Test.Unit/AppConfigTests/ConfidentialClientApplicationExtensibilityApiTests.cs
Show resolved
Hide resolved
...soft.Identity.Test.Unit/AppConfigTests/ConfidentialClientApplicationExtensibilityApiTests.cs
Show resolved
Hide resolved
...crosoft.Identity.Test.Unit/PublicApiTests/ConfidentialClientApplicationExtensibilityTests.cs
Outdated
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/Internal/Requests/ClientCredentialRequest.cs
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/Internal/Requests/ClientCredentialRequest.cs
Show resolved
Hide resolved
Co-authored-by: Copilot <[email protected]>
src/client/Microsoft.Identity.Client/Internal/Requests/ClientCredentialRequest.cs
Show resolved
Hide resolved
| } | ||
|
|
||
| [TestMethod] | ||
| public void WithCertificate_AllowsMultipleCallbackRegistrations_LastOneWins() |
There was a problem hiding this comment.
Is this how the rest of the APIs currently work? If you call WithCertificate multiple times, it just overwrites?
There was a problem hiding this comment.
Right now that is how it is. The test case was generated by copilot. I am going to propose another PR that will validate and throw if the cert is being set twice. Or if the dynamic cert is used then avoid static cert.
src/client/Microsoft.Identity.Client/Extensibility/ClientCredentialExtensionParameters.cs
Outdated
Show resolved
Hide resolved
…D/microsoft-authentication-library-for-dotnet into nebharg/certExtensibility
src/client/Microsoft.Identity.Client/Internal/Requests/ClientCredentialRequest.cs
Outdated
Show resolved
Hide resolved
...icrosoft.Identity.Client/ApiConfig/AbstractConfidentialClientAcquireTokenParameterBuilder.cs
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/AppConfig/AssertionRequestOptions.cs
Outdated
Show resolved
Hide resolved
src/client/Microsoft.Identity.Client/AppConfig/ApplicationConfiguration.cs
Outdated
Show resolved
Hide resolved
| /// <summary> | ||
| /// Success callback that receives the result of token acquisition attempts (typically successful, but can include failures after retries are exhausted). | ||
| /// </summary> | ||
| public Func<AssertionRequestOptions, ExecutionResult, Task> OnSuccessCallback { get; set; } |
There was a problem hiding this comment.
Do we need this ExecutionResult object? It seems to me that OnMsalServiceFailure takes care of the error sceanrio. And so this can be Func<AssertionRequestOptions, AuthenticationResult> OnTokenAcquisitionSuccess
There was a problem hiding this comment.
No, the OnMsalServiceFailure wll only handle the exceptions defined in the callback. There can be other exceptions as well that can be thrown.
There was a problem hiding this comment.
Keeping the executionResult as is. Also sending back the cert used
.../Microsoft.Identity.Client/Internal/ClientCredential/CertificateAndClaimsClientCredential.cs
Outdated
Show resolved
Hide resolved
| // Log the incoming request parameters for diagnostic purposes | ||
| requestParameters.RequestContext.Logger.Verbose(() => $"Building assertion from certificate with clientId: {clientId} at endpoint: {tokenEndpoint}"); | ||
|
|
||
| if (requestParameters.MtlsCertificate == null) |
There was a problem hiding this comment.
This is fine for Bearer tokens, but it is going to require a bit of work for mTLS POP tokens, which is an important scenario.
In case of MTLS POP tokens, the certificate is used to talk to Entra via mTLS.
I recommend you use a follow-up PR to address this sceanrio. There are integration tests for mtls POP.
There was a problem hiding this comment.
Dynamic cert for the MTLS POP as well?
There was a problem hiding this comment.
Discussed offline. This will go in another iteration.
bgavrilMS
left a comment
bgavrilMS
left a comment
There was a problem hiding this comment.
TenantId is probably not correctly set, as it can be overridden
Fixes #5568
Changes proposed in this request
Testing
Performance impact
Documentation