Add CorrelationId to AssertionRequestOptions for FIC (#5937)

gladjohn · web-flow · commit b52967ed71af · 2026-04-21T08:32:33.000-07:00
* init

* fix
diff --git a/src/client/Microsoft.Identity.Client/ApiConfig/Parameters/MtlsPopParametersInitializer.cs b/src/client/Microsoft.Identity.Client/ApiConfig/Parameters/MtlsPopParametersInitializer.cs
@@ -124,6 +124,7 @@ private static AssertionRequestOptions CreateAssertionRequestOptions(
                 Claims = p.Claims,
                 CancellationToken = ct,
                 ClientAssertionFmiPath = p.ClientAssertionFmiPath,
+                CorrelationId = p.CorrelationId,
 
                 // Best-effort context. IMPORTANT: use AbsoluteUri, not Uri.Authority (host only).
                 TokenEndpoint = serviceBundle.Config.Authority.AuthorityInfo.CanonicalAuthority.AbsoluteUri
diff --git a/src/client/Microsoft.Identity.Client/AppConfig/AssertionRequestOptions.cs b/src/client/Microsoft.Identity.Client/AppConfig/AssertionRequestOptions.cs
@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System;
 using System.Collections.Generic;
 using System.Threading;
 
@@ -27,12 +28,14 @@ public AssertionRequestOptions()
         /// <param name="appConfig">The application configuration</param>
         /// <param name="tokenEndpoint">The token endpoint used to acquire the token</param>
         /// <param name="tenantId">The tenant ID from the runtime authority</param>
-        internal AssertionRequestOptions(ApplicationConfiguration appConfig, string tokenEndpoint, string tenantId)
+        /// <param name="correlationId">The correlation ID from the authentication request</param>
+        internal AssertionRequestOptions(ApplicationConfiguration appConfig, string tokenEndpoint, string tenantId, Guid correlationId = default)
         {
             ClientID = appConfig.ClientId;
             TokenEndpoint = tokenEndpoint;
             Authority = appConfig.Authority?.AuthorityInfo?.CanonicalAuthority?.ToString();
             TenantId = tenantId;
+            CorrelationId = correlationId;
         }
 
         /// <summary>
@@ -76,5 +79,11 @@ internal AssertionRequestOptions(ApplicationConfiguration appConfig, string toke
         /// FMI path to be used for client assertion. Tokens are associated with this path in the cache.
         /// </summary>
         public string ClientAssertionFmiPath { get; set; }
+
+        /// <summary>
+        /// Correlation ID of the authentication request. Use this to propagate the same correlation ID 
+        /// to downstream token requests (e.g., Managed Identity) for coherent end-to-end tracing.
+        /// </summary>
+        public Guid CorrelationId { get; set; }
     }
 }
diff --git a/src/client/Microsoft.Identity.Client/Internal/ClientCredential/CertificateAndClaimsClientCredential.cs b/src/client/Microsoft.Identity.Client/Internal/ClientCredential/CertificateAndClaimsClientCredential.cs
@@ -142,7 +142,8 @@ private async Task<X509Certificate2> ResolveCertificateAsync(
             var options = new AssertionRequestOptions(
                 requestParameters.AppConfig,
                 tokenEndpoint,
-                requestParameters.AuthorityManager.Authority.TenantId)
+                requestParameters.AuthorityManager.Authority.TenantId,
+                requestParameters.RequestContext.CorrelationId)
             {
                 Claims = requestParameters.Claims,
                 ClientCapabilities = requestParameters.AppConfig.ClientCapabilities,
diff --git a/src/client/Microsoft.Identity.Client/Internal/ClientCredential/ClientAssertionDelegateCredential.cs b/src/client/Microsoft.Identity.Client/Internal/ClientCredential/ClientAssertionDelegateCredential.cs
@@ -57,7 +57,8 @@ public async Task<ClientCredentialApplicationResult> AddConfidentialClientParame
                 TokenEndpoint = tokenEndpoint,
                 ClientCapabilities = p.RequestContext.ServiceBundle.Config.ClientCapabilities,
                 Claims = p.Claims,
-                ClientAssertionFmiPath = p.ClientAssertionFmiPath
+                ClientAssertionFmiPath = p.ClientAssertionFmiPath,
+                CorrelationId = p.RequestContext.CorrelationId
             };
 
             ClientSignedAssertion resp = await GetAssertionAsync(opts, ct).ConfigureAwait(false);
diff --git a/src/client/Microsoft.Identity.Client/Internal/ClientCredential/ClientAssertionStringDelegateCredential.cs b/src/client/Microsoft.Identity.Client/Internal/ClientCredential/ClientAssertionStringDelegateCredential.cs
@@ -41,7 +41,8 @@ public async Task<ClientCredentialApplicationResult> AddConfidentialClientParame
                 TokenEndpoint = tokenEndpoint,
                 ClientCapabilities = p.RequestContext.ServiceBundle.Config.ClientCapabilities,
                 Claims = p.Claims,
-                ClientAssertionFmiPath = p.ClientAssertionFmiPath
+                ClientAssertionFmiPath = p.ClientAssertionFmiPath,
+                CorrelationId = p.RequestContext.CorrelationId
             };
 
             string assertion = await _provider(opts, ct).ConfigureAwait(false);
diff --git a/src/client/Microsoft.Identity.Client/Internal/Requests/ClientCredentialRequest.cs b/src/client/Microsoft.Identity.Client/Internal/Requests/ClientCredentialRequest.cs
@@ -251,7 +251,8 @@ private async Task<bool> InvokeOnMsalServiceFailureCallbackAsync(
                 var options = new AssertionRequestOptions(
                     AuthenticationRequestParameters.AppConfig, 
                     tokenEndpoint,
-                    AuthenticationRequestParameters.AuthorityManager.Authority.TenantId);
+                    AuthenticationRequestParameters.AuthorityManager.Authority.TenantId,
+                    AuthenticationRequestParameters.RequestContext.CorrelationId);
                 
                 var executionResult = new ExecutionResult
                 {
@@ -299,7 +300,8 @@ private async Task InvokeOnCompletionCallbackAsync(
                 var options = new AssertionRequestOptions(
                     AuthenticationRequestParameters.AppConfig, 
                     tokenEndpoint,
-                    AuthenticationRequestParameters.AuthorityManager.Authority.TenantId);
+                    AuthenticationRequestParameters.AuthorityManager.Authority.TenantId,
+                    AuthenticationRequestParameters.RequestContext.CorrelationId);
                 
                 var executionResult = new ExecutionResult
                 {
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/net462/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/net462/PublicAPI.Unshipped.txt
@@ -0,0 +1,2 @@
+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.get -> System.Guid
+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.set -> void
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/net472/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/net472/PublicAPI.Unshipped.txt
@@ -0,0 +1,2 @@
+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.get -> System.Guid
+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.set -> void
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/net8.0-android/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/net8.0-android/PublicAPI.Unshipped.txt
@@ -0,0 +1,2 @@
+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.get -> System.Guid
+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.set -> void
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/net8.0-ios/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/net8.0-ios/PublicAPI.Unshipped.txt
@@ -0,0 +1,2 @@
+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.get -> System.Guid
+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.set -> void
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/net8.0/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/net8.0/PublicAPI.Unshipped.txt
@@ -0,0 +1,2 @@
+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.get -> System.Guid
+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.set -> void
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/netstandard2.0/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/netstandard2.0/PublicAPI.Unshipped.txt
@@ -0,0 +1,2 @@
+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.get -> System.Guid
+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.set -> void
diff --git a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/Agentic.cs b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/Agentic.cs
@@ -37,19 +37,31 @@ public async Task AgentGetsAppTokenForGraphTest()
 
         private static async Task AgentGetsAppTokenForGraph()
         {
+            Guid expectedCorrelationId = Guid.NewGuid();
+            Guid capturedCorrelationId = Guid.Empty;
+
             var cca = ConfidentialClientApplicationBuilder
                         .Create(AgentIdentity)
                         .WithAuthority("https://login.microsoftonline.com/", TenantId)
                         .WithCacheOptions(CacheOptions.EnableSharedCacheOptions)
                         .WithExperimentalFeatures(true)
-                        .WithClientAssertion((AssertionRequestOptions _) => GetAppCredentialAsync(AgentIdentity))
+                        .WithClientAssertion((AssertionRequestOptions options) =>
+                        {
+                            capturedCorrelationId = options.CorrelationId;
+                            return GetAppCredentialAsync(AgentIdentity);
+                        })
                         .Build();
 
             var result = await cca.AcquireTokenForClient([Scope])
+                .WithCorrelationId(expectedCorrelationId)
                 .ExecuteAsync()
                 .ConfigureAwait(false);
 
             Trace.WriteLine($"FMI app credential from : {result.AuthenticationResultMetadata.TokenSource}");
+
+            // Verify CorrelationId flowed to the assertion callback (Issue #5924)
+            Assert.AreEqual(expectedCorrelationId, capturedCorrelationId,
+                "CorrelationId from WithCorrelationId() must flow to the assertion callback.");
         }
 
         private static async Task AgentUserIdentityGetsTokenForGraphAsync()
diff --git a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ClientCredentialsMtlsPopTests.cs b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ClientCredentialsMtlsPopTests.cs
@@ -1,6 +1,7 @@
 ﻿// Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System;
 using System.Linq;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
@@ -107,12 +108,15 @@ public async Task Sni_AssertionFlow_Uses_JwtPop_And_Succeeds_TestAsync()
             // Step 2: build the assertion-based app (NO WithCertificate here)
             bool assertionProviderCalled = false;
             string tokenEndpointSeenByProvider = null;
+            Guid correlationIdSeenByProvider = Guid.Empty;
 
             string requestUriSeen = null;
             string clientAssertionType = null;
             bool sawClientAssertionParam = false;
             bool sawClientAssertionTypeParam = false;
 
+            Guid expectedCorrelationId = Guid.NewGuid();
+
             IConfidentialClientApplication assertionApp = ConfidentialClientApplicationBuilder.Create(MsiAllowListedAppIdforSNI)
                 .WithExperimentalFeatures()
                 .WithAuthority("https://login.microsoftonline.com/bea21ebe-8b64-4d06-9f6d-6a889b120a7c")
@@ -121,6 +125,7 @@ public async Task Sni_AssertionFlow_Uses_JwtPop_And_Succeeds_TestAsync()
                 {
                     assertionProviderCalled = true;
                     tokenEndpointSeenByProvider = options.TokenEndpoint;
+                    correlationIdSeenByProvider = options.CorrelationId;
 
                     return Task.FromResult(new ClientSignedAssertion
                     {
@@ -135,6 +140,7 @@ public async Task Sni_AssertionFlow_Uses_JwtPop_And_Succeeds_TestAsync()
             AuthenticationResult second = await assertionApp
                 .AcquireTokenForClient(new[] { "https://vault.azure.net/.default" })
                 .WithMtlsProofOfPossession()
+                .WithCorrelationId(expectedCorrelationId)
                 .OnBeforeTokenRequest(data =>
                 {
                     requestUriSeen = data.RequestUri?.ToString();
@@ -173,6 +179,10 @@ public async Task Sni_AssertionFlow_Uses_JwtPop_And_Succeeds_TestAsync()
 
             // Optional: if you rely on regional mTLS endpoints, check the host
             StringAssert.Contains(requestUriSeen ?? "", "mtlsauth.microsoft.com");
+
+            // Verify CorrelationId flowed to the assertion callback (Issue #5924)
+            Assert.AreEqual(expectedCorrelationId, correlationIdSeenByProvider,
+                "CorrelationId from WithCorrelationId() must flow to the assertion callback for FIC two-leg tracing.");
         }
 
         //Downgraded test to verify bearer token acquisition works in SNI + jwt-pop scenario
diff --git a/tests/Microsoft.Identity.Test.Unit/PublicApiTests/ClientAssertionTests.cs b/tests/Microsoft.Identity.Test.Unit/PublicApiTests/ClientAssertionTests.cs
@@ -50,6 +50,7 @@ public async Task SignedAssertionDelegateClientCredential_NoClaims()
                         Assert.IsNull(options.ClientCapabilities);
                         Assert.IsNull(options.ClientAssertionFmiPath);
                         Assert.AreEqual(TestConstants.ClientId, options.ClientID);
+                        Assert.AreNotEqual(Guid.Empty, options.CorrelationId, "CorrelationId should be populated");
                         return await Task.FromResult("dummy_assertion").ConfigureAwait(false);
                     })
                     .BuildConcrete();
@@ -1051,6 +1052,71 @@ public async Task FmiPathClientAssertion_ClientSignedAssertionProvider_Preflight
             }
         }
 
+        [TestMethod]
+        public async Task CorrelationId_FlowsToSignedAssertionCallback_WithUserProvidedId()
+        {
+            using (var httpManager = new MockHttpManager())
+            {
+                httpManager.AddInstanceDiscoveryMockHandler();
+                httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage();
+
+                Guid expectedCorrelationId = Guid.NewGuid();
+                Guid capturedCorrelationId = Guid.Empty;
+
+                var app = ConfidentialClientApplicationBuilder
+                    .Create(TestConstants.ClientId)
+                    .WithExperimentalFeatures(true)
+                    .WithHttpManager(httpManager)
+                    .WithClientAssertion((AssertionRequestOptions opts, CancellationToken ct) =>
+                    {
+                        capturedCorrelationId = opts.CorrelationId;
+                        return Task.FromResult(new ClientSignedAssertion { Assertion = "jwt" });
+                    })
+                    .BuildConcrete();
+
+                var result = await app.AcquireTokenForClient(TestConstants.s_scope)
+                    .WithCorrelationId(expectedCorrelationId)
+                    .ExecuteAsync()
+                    .ConfigureAwait(false);
+
+                Assert.IsNotNull(result);
+                Assert.AreEqual(expectedCorrelationId, capturedCorrelationId,
+                    "CorrelationId from WithCorrelationId() must flow to the assertion callback.");
+            }
+        }
+
+        [TestMethod]
+        public async Task CorrelationId_FlowsToStringAssertionCallback_WithUserProvidedId()
+        {
+            using (var httpManager = new MockHttpManager())
+            {
+                httpManager.AddInstanceDiscoveryMockHandler();
+                httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage();
+
+                Guid expectedCorrelationId = Guid.NewGuid();
+                Guid capturedCorrelationId = Guid.Empty;
+
+                var app = ConfidentialClientApplicationBuilder
+                    .Create(TestConstants.ClientId)
+                    .WithHttpManager(httpManager)
+                    .WithClientAssertion(async (AssertionRequestOptions opts) =>
+                    {
+                        capturedCorrelationId = opts.CorrelationId;
+                        return await Task.FromResult("dummy_assertion").ConfigureAwait(false);
+                    })
+                    .BuildConcrete();
+
+                var result = await app.AcquireTokenForClient(TestConstants.s_scope)
+                    .WithCorrelationId(expectedCorrelationId)
+                    .ExecuteAsync()
+                    .ConfigureAwait(false);
+
+                Assert.IsNotNull(result);
+                Assert.AreEqual(expectedCorrelationId, capturedCorrelationId,
+                    "CorrelationId from WithCorrelationId() must flow to the string assertion callback.");
+            }
+        }
+
         #region Helper ---------------------------------------------------------------
         private static Func<AssertionRequestOptions, CancellationToken, Task<ClientSignedAssertion>>
         BearerDelegate(string jwt = "fake_jwt") =>
diff --git a/tests/Microsoft.Identity.Test.Unit/PublicApiTests/ConfidentialClientApplicationTests.cs b/tests/Microsoft.Identity.Test.Unit/PublicApiTests/ConfidentialClientApplicationTests.cs
@@ -1986,6 +1986,7 @@ public void AssertionInputIsMutable()
             options.TokenEndpoint = "https://login.microsoft.com/v2.0/token";
             options.CancellationToken = CancellationToken.None;
             options.Claims = TestConstants.Claims;
+            options.CorrelationId = Guid.NewGuid();
         }
 
         [TestMethod]

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.get -> System.Guid`
	`2`	`+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.set -> void`