ImdsV2: Integrated .WithMtlsProofOfPossession (#5490)

Robbie-Microsoft · web-flow · commit 0897cce29834 · 2025-09-19T16:08:53.000-04:00
diff --git a/src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenForManagedIdentityParameters.cs b/src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenForManagedIdentityParameters.cs
@@ -20,6 +20,8 @@ internal class AcquireTokenForManagedIdentityParameters : IAcquireTokenParameter
 
         public string RevokedTokenHash { get; set; }
 
+        public bool IsMtlsPopRequested { get; set; }
+
         public void LogParameters(ILoggerAdapter logger)
         {
             if (logger.IsLoggingEnabled(LogLevel.Info))
diff --git a/src/client/Microsoft.Identity.Client/Internal/Requests/ManagedIdentityAuthRequest.cs b/src/client/Microsoft.Identity.Client/Internal/Requests/ManagedIdentityAuthRequest.cs
@@ -95,7 +95,7 @@ protected override async Task<AuthenticationResult> ExecuteAsync(CancellationTok
                 logger.Info("[ManagedIdentityRequest] Access token retrieved from cache.");
 
                 try
-                {  
+                {
                     var proactivelyRefresh = SilentRequestHelper.NeedsRefresh(cachedAccessTokenItem);
 
                     // If needed, refreshes token in the background
@@ -141,7 +141,7 @@ protected override async Task<AuthenticationResult> ExecuteAsync(CancellationTok
         }
 
         private async Task<AuthenticationResult> GetAccessTokenAsync(
-            CancellationToken cancellationToken, 
+            CancellationToken cancellationToken,
             ILoggerAdapter logger)
         {
             AuthenticationResult authResult;
@@ -161,7 +161,7 @@ private async Task<AuthenticationResult> GetAccessTokenAsync(
                 // 1) ForceRefresh is requested
                 // 2) Proactive refresh is in effect
                 // 3) Claims are present (revocation flow)
-                if (_managedIdentityParameters.ForceRefresh || 
+                if (_managedIdentityParameters.ForceRefresh ||
                     AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo == CacheRefreshReason.ProactivelyRefreshed ||
                     !string.IsNullOrEmpty(_managedIdentityParameters.Claims))
                 {
@@ -198,6 +198,8 @@ private async Task<AuthenticationResult> SendTokenRequestForManagedIdentityAsync
 
             await ResolveAuthorityAsync().ConfigureAwait(false);
 
+            _managedIdentityParameters.IsMtlsPopRequested = AuthenticationRequestParameters.IsMtlsPopRequested;
+
             ManagedIdentityResponse managedIdentityResponse =
                 await _managedIdentityClient
                 .SendTokenRequestForManagedIdentityAsync(AuthenticationRequestParameters.RequestContext, _managedIdentityParameters, cancellationToken)
diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs
@@ -31,9 +31,11 @@ internal abstract class AbstractManagedIdentity
 
         protected readonly RequestContext _requestContext;
 
+        protected bool _isMtlsPopRequested;
+
         internal const string TimeoutError = "[Managed Identity] Authentication unavailable. The request to the managed identity endpoint timed out.";
         internal readonly ManagedIdentitySource _sourceType;
-        
+
         protected AbstractManagedIdentity(RequestContext requestContext, ManagedIdentitySource sourceType)
         {
             _requestContext = requestContext;
@@ -55,6 +57,8 @@ public virtual async Task<ManagedIdentityResponse> AuthenticateAsync(
             // Convert the scopes to a resource string.
             string resource = parameters.Resource;
 
+            _isMtlsPopRequested = parameters.IsMtlsPopRequested;
+
             ManagedIdentityRequest request = await CreateRequestAsync(resource).ConfigureAwait(false);
 
             // Automatically add claims / capabilities if this MI source supports them
@@ -83,7 +87,7 @@ public virtual async Task<ManagedIdentityResponse> AuthenticateAsync(
                             logger: _requestContext.Logger,
                             doNotThrow: true,
                             mtlsCertificate: request.MtlsCertificate,
-                            validateServerCertificate: GetValidationCallback(), 
+                            validateServerCertificate: GetValidationCallback(),
                             cancellationToken: cancellationToken,
                             retryPolicy: retryPolicy).ConfigureAwait(false);
                 }
@@ -98,7 +102,7 @@ public virtual async Task<ManagedIdentityResponse> AuthenticateAsync(
                             logger: _requestContext.Logger,
                             doNotThrow: true,
                             mtlsCertificate: request.MtlsCertificate,
-                            validateServerCertificate: GetValidationCallback(), 
+                            validateServerCertificate: GetValidationCallback(),
                             cancellationToken: cancellationToken,
                             retryPolicy: retryPolicy)
                         .ConfigureAwait(false);
@@ -172,8 +176,8 @@ protected ManagedIdentityResponse GetSuccessfulResponse(HttpResponse response)
                 throw exception;
             }
 
-            if (managedIdentityResponse == null || 
-                managedIdentityResponse.AccessToken.IsNullOrEmpty() || 
+            if (managedIdentityResponse == null ||
+                managedIdentityResponse.AccessToken.IsNullOrEmpty() ||
                 managedIdentityResponse.ExpiresOn.IsNullOrEmpty())
             {
                 _requestContext.Logger.Error("[Managed Identity] Response is either null or insufficient for authentication.");
diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/V2/ImdsV2ManagedIdentitySource.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/V2/ImdsV2ManagedIdentitySource.cs
@@ -259,7 +259,7 @@ protected override async Task<ManagedIdentityRequest> CreateRequestAsync(string
 
             var keyInfo = await _requestContext.ServiceBundle.PlatformProxy.ManagedIdentityKeyProvider
                 .GetOrCreateKeyAsync(_requestContext.Logger, _requestContext.UserCancellationToken).ConfigureAwait(false);
-            
+
             var (csr, privateKey) = _requestContext.ServiceBundle.Config.CsrFactory.Generate(keyInfo.Key, csrMetadata.ClientId, csrMetadata.TenantId, csrMetadata.CuId);
 
             var certificateRequestResponse = await ExecuteCertificateRequestAsync(csr).ConfigureAwait(false);
@@ -280,10 +280,12 @@ protected override async Task<ManagedIdentityRequest> CreateRequestAsync(string
             request.Headers.Add(ThrottleCommon.ThrottleRetryAfterHeaderName, ThrottleCommon.ThrottleRetryAfterHeaderValue);
             request.Headers.Add(OAuth2Header.RequestCorrelationIdInResponse, "true");
 
+            var tokenType = _isMtlsPopRequested ? "mtls_pop" : "bearer";
+
             request.BodyParameters.Add("client_id", certificateRequestResponse.ClientId);
             request.BodyParameters.Add("grant_type", OAuth2GrantType.ClientCredentials);
             request.BodyParameters.Add("scope", "https://management.azure.com/.default");
-            request.BodyParameters.Add("token_type", "bearer");
+            request.BodyParameters.Add("token_type", tokenType);
 
             request.RequestType = RequestType.STS;
 
diff --git a/tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHelpers.cs b/tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHelpers.cs
@@ -122,7 +122,10 @@ public static string GetBridgedHybridSpaTokenResponse(string spaAccountId)
             ",\"id_token_expires_in\":\"3600\"}";
         }
 
-        public static string GetMsiSuccessfulResponse(int expiresInHours = 1, bool useIsoFormat = false)
+        public static string GetMsiSuccessfulResponse(
+            int expiresInHours = 1,
+            bool useIsoFormat = false,
+            bool mTLSPop = false)
         {
             string expiresOn;
 
@@ -137,9 +140,11 @@ public static string GetMsiSuccessfulResponse(int expiresInHours = 1, bool useIs
                 expiresOn = DateTimeHelpers.DateTimeToUnixTimestamp(DateTime.UtcNow.AddHours(expiresInHours));
             }
 
+            var tokenType = mTLSPop ? "mtls_pop" : "Bearer";
+
             return
-          "{\"access_token\":\"" + TestConstants.ATSecret + "\",\"expires_on\":\"" + expiresOn + "\",\"resource\":\"https://management.azure.com/\",\"token_type\":" +
-          "\"Bearer\",\"client_id\":\"client_id\"}";
+                "{\"access_token\":\"" + TestConstants.ATSecret + "\",\"expires_on\":\"" + expiresOn + "\",\"resource\":\"https://management.azure.com/\"," +
+                "\"token_type\":\"" + tokenType + "\",\"client_id\":\"client_id\"}";
         }
 
         public static string GetMsiErrorBadJson()
@@ -725,7 +730,7 @@ public static MockHttpMessageHandler MockImdsV2EntraTokenRequestResponse(
                 PresentRequestHeaders = presentRequestHeaders,
                 ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK)
                 {
-                    Content = new StringContent(GetMsiSuccessfulResponse()),
+                    Content = new StringContent(GetMsiSuccessfulResponse(mTLSPop: mTLSPop)),
                 }
             };
 
diff --git a/tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ImdsV2Tests.cs b/tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ImdsV2Tests.cs
@@ -12,6 +12,7 @@
 using Microsoft.Identity.Client.ManagedIdentity;
 using Microsoft.Identity.Client.ManagedIdentity.KeyProviders;
 using Microsoft.Identity.Client.ManagedIdentity.V2;
+using Microsoft.Identity.Client.MtlsPop;
 using Microsoft.Identity.Client.PlatformsCommon.Shared;
 using Microsoft.Identity.Test.Common.Core.Mocks;
 using Microsoft.Identity.Test.Unit.Helpers;
@@ -34,7 +35,7 @@ public class ImdsV2Tests : TestBase
             enablePiiLogging: false
         );
         public const string Bearer = "Bearer";
-        public const string MTLSPoP = "MTLSPoP";
+        public const string MTLSPoP = "mtls_pop";
 
         private void AddMocksToGetEntraToken(
             MockHttpManager httpManager,
@@ -256,26 +257,28 @@ public async Task mTLSPopTokenHappyPath(
             {
                 var managedIdentityApp = await CreateManagedIdentityAsync(httpManager, userAssignedIdentityId, userAssignedId).ConfigureAwait(false);
 
-                AddMocksToGetEntraToken(httpManager, userAssignedIdentityId, userAssignedId/*, mTLSPop: true*/); // TODO: implement mTLS Pop
+                AddMocksToGetEntraToken(httpManager, userAssignedIdentityId, userAssignedId, mTLSPop: true);
 
                 var result = await managedIdentityApp.AcquireTokenForManagedIdentity(ManagedIdentityTests.Resource)
-                    // .WithMtlsProofOfPossession() // TODO: implement mTLS Pop
+                    .WithMtlsProofOfPossession()
                     .ExecuteAsync().ConfigureAwait(false);
 
                 Assert.IsNotNull(result);
                 Assert.IsNotNull(result.AccessToken);
-                // Assert.AreEqual(result.TokenType, MTLSPoP);  // TODO: implement mTLS Pop
-                // Assert.IsNotNull(result.BindingCertificate); // TODO: implement mTLS Pop
+                Assert.AreEqual(result.TokenType, MTLSPoP);
+                // Assert.IsNotNull(result.BindingCertificate); // TODO: implement mTLS Pop BindingCertificate
                 Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);
 
-                result = await managedIdentityApp.AcquireTokenForManagedIdentity(ManagedIdentityTests.Resource)
+                // TODO: broken until Gladwin's PR is merged in
+                /*result = await managedIdentityApp.AcquireTokenForManagedIdentity(ManagedIdentityTests.Resource)
+                    .WithMtlsProofOfPossession()
                     .ExecuteAsync().ConfigureAwait(false);
 
                 Assert.IsNotNull(result);
                 Assert.IsNotNull(result.AccessToken);
-                // Assert.AreEqual(result.TokenType, MTLSPoP);  // TODO: implement mTLS Pop
-                // Assert.IsNotNull(result.BindingCertificate); // TODO: implement mTLS Pop
-                Assert.AreEqual(TokenSource.Cache, result.AuthenticationResultMetadata.TokenSource);
+                Assert.AreEqual(result.TokenType, MTLSPoP);
+                // Assert.IsNotNull(result.BindingCertificate); // TODO: implement mTLS Pop BindingCertificate
+                Assert.AreEqual(TokenSource.Cache, result.AuthenticationResultMetadata.TokenSource);*/
             }
         }
 
@@ -293,53 +296,55 @@ public async Task mTLSPopTokenTokenIsPerIdentity(
                 #region Identity 1
                 var managedIdentityApp = await CreateManagedIdentityAsync(httpManager, userAssignedIdentityId, userAssignedId).ConfigureAwait(false);
 
-                AddMocksToGetEntraToken(httpManager, userAssignedIdentityId, userAssignedId/*, mTLSPop: true*/); // TODO: implement mTLS Pop
+                AddMocksToGetEntraToken(httpManager, userAssignedIdentityId, userAssignedId, mTLSPop: true);
 
                 var result = await managedIdentityApp.AcquireTokenForManagedIdentity(ManagedIdentityTests.Resource)
-                    // .WithMtlsProofOfPossession() // TODO: implement mTLS Pop
+                    .WithMtlsProofOfPossession()
                     .ExecuteAsync().ConfigureAwait(false);
 
                 Assert.IsNotNull(result);
                 Assert.IsNotNull(result.AccessToken);
-                // Assert.AreEqual(result.TokenType, MTLSPoP);  // TODO: implement mTLS Pop
-                // Assert.IsNotNull(result.BindingCertificate); // TODO: implement mTLS Pop
+                Assert.AreEqual(result.TokenType, MTLSPoP);
+                // Assert.IsNotNull(result.BindingCertificate); // TODO: implement mTLS Pop BindingCertificate
                 Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);
 
-                result = await managedIdentityApp.AcquireTokenForManagedIdentity(ManagedIdentityTests.Resource)
-                    // .WithMtlsProofOfPossession() // TODO: implement mTLS Pop
+                // TODO: broken until Gladwin's PR is merged in
+                /*result = await managedIdentityApp.AcquireTokenForManagedIdentity(ManagedIdentityTests.Resource)
+                    .WithMtlsProofOfPossession()
                     .ExecuteAsync().ConfigureAwait(false);
 
                 Assert.IsNotNull(result);
                 Assert.IsNotNull(result.AccessToken);
-                // Assert.AreEqual(result.TokenType, MTLSPoP);  // TODO: implement mTLS Pop
-                // Assert.IsNotNull(result.BindingCertificate); // TODO: implement mTLS Pop
-                Assert.AreEqual(TokenSource.Cache, result.AuthenticationResultMetadata.TokenSource);
+                Assert.AreEqual(result.TokenType, MTLSPoP);
+                // Assert.IsNotNull(result.BindingCertificate); // TODO: implement mTLS Pop BindingCertificate
+                Assert.AreEqual(TokenSource.Cache, result.AuthenticationResultMetadata.TokenSource);*/
                 #endregion Identity 1
 
                 #region Identity 2
                 var managedIdentityApp2 = await CreateManagedIdentityAsync(httpManager, userAssignedIdentityId, userAssignedId, addProbeMock: false, addSourceCheck: false).ConfigureAwait(false); // source is already cached
 
-                AddMocksToGetEntraToken(httpManager, userAssignedIdentityId, userAssignedId/*, mTLSPop: true*/); // TODO: implement mTLS Pop
+                AddMocksToGetEntraToken(httpManager, userAssignedIdentityId, userAssignedId, mTLSPop: true);
 
                 var result2 = await managedIdentityApp2.AcquireTokenForManagedIdentity(ManagedIdentityTests.Resource)
-                    // .WithMtlsProofOfPossession() // TODO: implement mTLS Pop
+                    .WithMtlsProofOfPossession()
                     .ExecuteAsync().ConfigureAwait(false);
 
                 Assert.IsNotNull(result2);
                 Assert.IsNotNull(result2.AccessToken);
-                // Assert.AreEqual(result.TokenType, MTLSPoP);  // TODO: implement mTLS Pop
-                // Assert.IsNotNull(result.BindingCertificate); // TODO: implement mTLS Pop
+                Assert.AreEqual(result.TokenType, MTLSPoP);
+                // Assert.IsNotNull(result.BindingCertificate); // TODO: implement mTLS Pop BindingCertificate
                 Assert.AreEqual(TokenSource.IdentityProvider, result2.AuthenticationResultMetadata.TokenSource);
 
-                result2 = await managedIdentityApp2.AcquireTokenForManagedIdentity(ManagedIdentityTests.Resource)
-                    // .WithMtlsProofOfPossession() // TODO: implement mTLS Pop
+                // TODO: broken until Gladwin's PR is merged in
+                /*result2 = await managedIdentityApp2.AcquireTokenForManagedIdentity(ManagedIdentityTests.Resource)
+                    .WithMtlsProofOfPossession()
                     .ExecuteAsync().ConfigureAwait(false);
 
                 Assert.IsNotNull(result2);
                 Assert.IsNotNull(result2.AccessToken);
-                // Assert.AreEqual(result.TokenType, MTLSPoP);  // TODO: implement mTLS Pop
-                // Assert.IsNotNull(result.BindingCertificate); // TODO: implement mTLS Pop
-                Assert.AreEqual(TokenSource.Cache, result2.AuthenticationResultMetadata.TokenSource);
+                Assert.AreEqual(result.TokenType, MTLSPoP);
+                // Assert.IsNotNull(result.BindingCertificate); // TODO: implement mTLS Pop BindingCertificate
+                Assert.AreEqual(TokenSource.Cache, result2.AuthenticationResultMetadata.TokenSource);*/
                 #endregion Identity 2
 
                 // TODO: Assert.AreEqual(CertificateCache.Count, 2);
@@ -359,30 +364,30 @@ public async Task mTLSPopTokenIsReAcquiredWhenCertificatIsExpired(
             {
                 var managedIdentityApp = await CreateManagedIdentityAsync(httpManager, userAssignedIdentityId, userAssignedId).ConfigureAwait(false);
 
-                AddMocksToGetEntraToken(httpManager, userAssignedIdentityId, userAssignedId, TestConstants.ExpiredRawCertificate/*, mTLSPop: true*/); // TODO: implement mTLS Pop
+                AddMocksToGetEntraToken(httpManager, userAssignedIdentityId, userAssignedId, TestConstants.ExpiredRawCertificate, mTLSPop: true);
 
                 var result = await managedIdentityApp.AcquireTokenForManagedIdentity(ManagedIdentityTests.Resource)
-                    // .WithMtlsProofOfPossession() // TODO: implement mTLS Pop
+                    .WithMtlsProofOfPossession()
                     .ExecuteAsync().ConfigureAwait(false);
 
                 Assert.IsNotNull(result);
                 Assert.IsNotNull(result.AccessToken);
-                // Assert.AreEqual(result.TokenType, MTLSPoP);  // TODO: implement mTLS Pop
-                // Assert.IsNotNull(result.BindingCertificate); // TODO: implement mTLS Pop
+                Assert.AreEqual(result.TokenType, MTLSPoP);
+                // Assert.IsNotNull(result.BindingCertificate); // TODO: implement mTLS Pop BindingCertificate
                 Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);
 
                 // TODO: Add functionality to check cert expiration in the cache
                 /**
-                AddMocksToGetEntraToken(httpManager, userAssignedIdentityId, userAssignedId, // mTLSPop: true);  // TODO: implement mTLS Pop
+                AddMocksToGetEntraToken(httpManager, userAssignedIdentityId, userAssignedId, mTLSPop: true);
 
                 result = await managedIdentityApp.AcquireTokenForManagedIdentity(ManagedIdentityTests.Resource)
-                    // .WithMtlsProofOfPossession() // TODO: implement mTLS Pop
+                    .WithMtlsProofOfPossession()
                     .ExecuteAsync().ConfigureAwait(false);
 
                 Assert.IsNotNull(result);
                 Assert.IsNotNull(result.AccessToken);
-                // Assert.AreEqual(result.TokenType, MTLSPoP);  // TODO: implement mTLS Pop
-                // Assert.IsNotNull(result.BindingCertificate); // TODO: implement mTLS Pop
+                Assert.AreEqual(result.TokenType, MTLSPoP);
+                // Assert.IsNotNull(result.BindingCertificate); // TODO: implement mTLS Pop BindingCertificate
                 Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);
 
                 Assert.AreEqual(CertificateCache.Count, 1); // expired cert was removed from the cache
@@ -484,7 +489,7 @@ public void TestCsrGeneration_OnlyVmId()
             {
                 VmId = TestConstants.VmId
             };
-            
+
             var rsa = InMemoryManagedIdentityKeyProvider.CreateRsaKeyPair();
             var (csr, _) = Csr.Generate(rsa, TestConstants.ClientId, TestConstants.TenantId, cuid);
             CsrValidator.ValidateCsrContent(csr, TestConstants.ClientId, TestConstants.TenantId, cuid);
diff --git a/tests/Microsoft.Identity.Test.Unit/Microsoft.Identity.Test.Unit.csproj b/tests/Microsoft.Identity.Test.Unit/Microsoft.Identity.Test.Unit.csproj

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,8 @@ internal class AcquireTokenForManagedIdentityParameters : IAcquireTokenParameter`
`20`	`20`
`21`	`21`	`public string RevokedTokenHash { get; set; }`
`22`	`22`
	`23`	`+ public bool IsMtlsPopRequested { get; set; }`
	`24`	`+`
`23`	`25`	`public void LogParameters(ILoggerAdapter logger)`
`24`	`26`	`{`
`25`	`27`	`if (logger.IsLoggingEnabled(LogLevel.Info))`
Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,10 @@ public static string GetBridgedHybridSpaTokenResponse(string spaAccountId)`
`122`	`122`	`",\"id_token_expires_in\":\"3600\"}";`
`123`	`123`	`}`
`124`	`124`
`125`		`- public static string GetMsiSuccessfulResponse(int expiresInHours = 1, bool useIsoFormat = false)`
	`125`	`+ public static string GetMsiSuccessfulResponse(`
	`126`	`+ int expiresInHours = 1,`
	`127`	`+ bool useIsoFormat = false,`
	`128`	`+ bool mTLSPop = false)`
`126`	`129`	`{`
`127`	`130`	`string expiresOn;`
`128`	`131`
`@@ -137,9 +140,11 @@ public static string GetMsiSuccessfulResponse(int expiresInHours = 1, bool useIs`
`137`	`140`	`expiresOn = DateTimeHelpers.DateTimeToUnixTimestamp(DateTime.UtcNow.AddHours(expiresInHours));`
`138`	`141`	`}`
`139`	`142`
	`143`	`+ var tokenType = mTLSPop ? "mtls_pop" : "Bearer";`
	`144`	`+`
`140`	`145`	`return`
`141`		`- "{\"access_token\":\"" + TestConstants.ATSecret + "\",\"expires_on\":\"" + expiresOn + "\",\"resource\":\"https://management.azure.com/\",\"token_type\":" +`
`142`		`- "\"Bearer\",\"client_id\":\"client_id\"}";`
	`146`	`+ "{\"access_token\":\"" + TestConstants.ATSecret + "\",\"expires_on\":\"" + expiresOn + "\",\"resource\":\"https://management.azure.com/\"," +`
	`147`	`+ "\"token_type\":\"" + tokenType + "\",\"client_id\":\"client_id\"}";`
`143`	`148`	`}`
`144`	`149`
`145`	`150`	`public static string GetMsiErrorBadJson()`
`@@ -725,7 +730,7 @@ public static MockHttpMessageHandler MockImdsV2EntraTokenRequestResponse(`
`725`	`730`	`PresentRequestHeaders = presentRequestHeaders,`
`726`	`731`	`ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK)`
`727`	`732`	`{`
`728`		`- Content = new StringContent(GetMsiSuccessfulResponse()),`
	`733`	`+ Content = new StringContent(GetMsiSuccessfulResponse(mTLSPop: mTLSPop)),`
`729`	`734`	`}`
`730`	`735`	`};`
`731`	`736`