Skip to content

ImdsV2: Acquire Entra Token Over mTLS #5431

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 54 commits into from
Aug 29, 2025
Merged

ImdsV2: Acquire Entra Token Over mTLS #5431

merged 54 commits into from
Aug 29, 2025

Conversation

@Robbie-Microsoft
Copy link
Contributor

@Robbie-Microsoft Robbie-Microsoft commented Aug 8, 2025
edited
Loading

Finishing up the remainder of the flow for ImdsV2... this PR builds the request to acquire the entra token over mTLS.

@Robbie-Microsoft
Initial commit. 2 TODOs
5498968
@Robbie-Microsoft
Merge branch 'rginsburg/msiv2_feature_branch' into rginsburg/msiv2_csr
e04e408
@Robbie-Microsoft
Merge branch 'rginsburg/msiv2_feature_branch' into rginsburg/msiv2_csr
4e096b7
@Robbie-Microsoft
Implemented CSR generator
6bc2164
@Robbie-Microsoft
first pass at improved unit tests
762ccdf
@Robbie-Microsoft
Finished improving unit tests
4ea6c09
@Robbie-Microsoft
Updates to CUID
009f948
@Robbie-Microsoft
Unit test improvements
21d4ef3
@Robbie-Microsoft
Implemented Feedback
cd013a3
@Robbie-Microsoft
renamed file
480ae9e
@Robbie-Microsoft
small improvement
0aa8692
@Robbie-Microsoft
Initial implementation
de24670
@Robbie-Microsoft
added missing awaitor for async method
621c566
@Robbie-Microsoft
Merge branch 'rginsburg/msiv2_csr' into rginsburg/msiv2_acquire_entra…
07b7883 
…_token
@Robbie-Microsoft
Fixed bugs discovered from unit testing in child branch
068461b
@Robbie-Microsoft
Merge branch 'rginsburg/msiv2_csr' into rginsburg/msiv2_acquire_entra…
8a8439a 
…_token
@Robbie-Microsoft
undid changes to .proj
2034b25
@Robbie-Microsoft
Merge branch 'rginsburg/msiv2_csr' into rginsburg/msiv2_acquire_entra…
b415f99 
…_token
@Robbie-Microsoft
undid change to global.json
2b7486a
@Robbie-Microsoft
Merge branch 'rginsburg/msiv2_csr' into rginsburg/msiv2_acquire_entra…
a76d2fd 
…_token
@Robbie-Microsoft
started unit testing
310c467
@Robbie-Microsoft
added missing sets
189ff9e
@Robbie-Microsoft
Merge branch 'rginsburg/msiv2_csr' into rginsburg/msiv2_acquire_entra…
a98a5a8 
…_token
@Robbie-Microsoft
merged from parent branch
9345e99
@Robbie-Microsoft
undid changes to global.json
c72e61b
@Robbie-Microsoft Robbie-Microsoft marked this pull request as ready for review August 28, 2025 22:09
@Robbie-Microsoft Robbie-Microsoft requested a review from a team as a code owner August 28, 2025 22:09
@Robbie-Microsoft Robbie-Microsoft changed the title ImdsV2: Acquire Entra Token ImdsV2: Acquire Entra Token Over mTLS Aug 28, 2025
bgavrilMS
bgavrilMS reviewed Aug 29, 2025
View reviewed changes
src/client/Microsoft.Identity.Client/ManagedIdentity/V2/ImdsV2ManagedIdentitySource.cs Outdated
/// <exception cref="ArgumentNullException">Thrown when certificatePem or privateKey is null</exception>
/// <exception cref="ArgumentException">Thrown when certificatePem is not a valid PEM certificate</exception>
/// <exception cref="FormatException">Thrown when the certificate cannot be parsed</exception>
internal X509Certificate2 AttachPrivateKeyToCert(string certificatePem, RSA privateKey)
Copy link
Member

@bgavrilMS bgavrilMS Aug 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could move all this X509 related code to the existing CommonCryptographyManager

bgavrilMS
bgavrilMS approved these changes Aug 29, 2025
View reviewed changes
Copy link
Member

@bgavrilMS bgavrilMS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved with comments

@Robbie-Microsoft Robbie-Microsoft merged commit ddc2117 into rginsburg/msiv2_feature_branch Aug 29, 2025
3 checks passed
@Robbie-Microsoft Robbie-Microsoft deleted the rginsburg/msiv2_acquire_entra_token branch August 29, 2025 22:02
gladjohn
gladjohn reviewed Sep 3, 2025
View reviewed changes
tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ImdsV2Tests.cs
.ExecuteAsync().ConfigureAwait(false);

Assert.IsNotNull(result);
Assert.IsNotNull(result.AccessToken);
Copy link
Contributor

@gladjohn gladjohn Sep 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

overall looks good. can we also assert common headers we send to ESTS. which will contain correlation id MSAL version etc.

you can see the common headers being set here -

microsoft-authentication-library-for-dotnet/src/client/Microsoft.Identity.Client/OAuth2/OAuth2Client.cs

Line 232 in 7890844

{

and here are some existing tests -

microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/CoreTests/OAuth2Tests/TokenResponseTests.cs

Line 28 in 7890844

new RequestContext(harness.ServiceBundle, Guid.NewGuid(), null), addCommonHeaders: true, onBeforePostRequestHandler: null);

Copy link
Contributor Author

@Robbie-Microsoft Robbie-Microsoft Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example you pointed me to in the tests is not clear to me. Can you please show me exactly how you would check that the headers from MsalIdHelper.GetMsalIdParameters exist in the request in the unit test?

Copy link
Contributor

@gladjohn gladjohn Sep 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one way to check would be to run this test, (manual inspection)

Sni_Gets_Pop_Token_Successfully_TestAsync

And get the time stamp and correlation id from the logs

image

Then inspect MSAL related properties in LogsMiner.

And then you can debug that test and see where those headers are set.

Copy link
Contributor

@gladjohn gladjohn Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please show me exactly how you would check that the headers

For unit test, you can check the headers in the outgoing request. for e.g take a look at CertificateOverrideAsync test. it uses MockHttpMessageHandler to check for ActualRequestHeaders

Copy link
Contributor Author

@Robbie-Microsoft Robbie-Microsoft Sep 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is still very unclear to me

Copy link
Contributor Author

@Robbie-Microsoft Robbie-Microsoft Sep 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've found another way to check the headers. My PR is here: #5459

gladjohn
gladjohn reviewed Sep 3, 2025
View reviewed changes
tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ImdsV2Tests.cs
.ExecuteAsync().ConfigureAwait(false);

Assert.IsNotNull(result);
Assert.IsNotNull(result.AccessToken);
Copy link
Contributor

@gladjohn gladjohn Sep 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we also ensure the mtls cert is being returned in the result

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gladjohn gladjohn gladjohn left review comments

@bgavrilMS bgavrilMS Awaiting requested review from bgavrilMS

Assignees

No one assigned

Labels

Feature Branch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Robbie-Microsoft @bgavrilMS @gladjohn