Skip to content

Adds support for implicit mTLS (Mutual TLS) transport for client assertion delegates #5670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
gladjohn wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Adds support for implicit mTLS (Mutual TLS) transport for client assertion delegates #5670

gladjohn wants to merge 2 commits into from
+478 −51

Conversation

@gladjohn
Copy link
Contributor

@gladjohn gladjohn commented Jan 23, 2026

Fixes #5633

Changes proposed in this request
This pull request introduces support for implicit mTLS (Mutual TLS) transport for client assertion delegates, enhances the handling of mTLS and PoP (Proof of Possession) scenarios, and improves error messaging for regional configuration requirements. The main changes ensure that mTLS is properly requested and validated when using client assertion delegates that can return a TokenBindingCertificate, and that regional endpoints are enforced for mTLS bearer scenarios. Additionally, the codebase is updated to consistently use the new IsMtlsRequested property for mTLS logic and error handling.

mTLS and PoP Handling Improvements

  • Added logic to implicitly request mTLS when a client assertion delegate returns a TokenBindingCertificate, even if PoP is not explicitly requested. This ensures mTLS transport is used for bearer tokens when needed and enforces Azure region configuration for these scenarios.
  • Introduced IsMtlsRequested property to AcquireTokenCommonParameters and propagated its usage throughout the codebase for more accurate mTLS detection and handling. [1] [2] [3]

Client Assertion Delegate Enhancements

  • Updated ClientAssertionDelegateCredential and related builder methods to support a CanReturnTokenBindingCertificate flag, distinguishing between delegates that can provide mTLS certificates and those that cannot. [1] [2] [3] [4] [5]

Error Handling and Messaging

  • Added a new error code and message (MsalError.MtlsBearerWithoutRegion) to clearly indicate when mTLS bearer authentication is attempted without specifying an Azure region, and surfaced this in the public API. [1] [2] [3]

mTLS Detection in Discovery and Request Logic

  • Refactored discovery provider and request context logic to use IsMtlsRequested instead of checking for certificate presence directly, ensuring mTLS scenarios are consistently recognized in regional endpoint selection and host modification. [1] [2] [3]

Token Caching for mTLS PoP

  • Updated token caching logic to ensure that cached tokens are only reused for mTLS PoP scenarios when both a certificate is present and PoP is explicitly requested.

Testing
unit, integration (integration test is skipped for now because ests is not ready)

Performance impact
none

Documentation

  • All relevant documentation is updated.

@gladjohn gladjohn requested a review from a team as a code owner January 23, 2026 00:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature Request] Add Bearer support for Bound FIC

2 participants

@gladjohn