Feature: mTLS ****** via CertificateOptions.SendCertificateOverMtls (#5849)

* initial

* Address review comments: remove dead appConfig, contradictory SendX5C

- Remove unused appConfig variable from both mTLS integration tests
- Remove contradictory SendX5C=true from mTLS Bearer test (SendCertificateOverMtls bypasses JWT assertion)
- Remove unnecessary SendX5C=true from PoP test (PoP overrides transport regardless)
- Resolve rebase conflicts with main (MsalError docs, PublicAPI files)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Fix MsalError doc to cover all InvalidCredentialMaterial scenarios

Restore mitigation text to include both WithCertificate() and
ClientSignedAssertion callback paths for mTLS Proof-of-Possession.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address Copilot review: fix namespace refs and nullable assertion

- Replace Client.AppConfig.CertificateOptions with properly imported
  CertificateOptions type (add using Microsoft.Identity.Client.AppConfig)
- Fix nullable bool? in Assert.IsTrue by adding ?? false coalescing

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address open review comments: clarify static-cert-only docs, error message, and add mTLS transport assertion

- MsalErrorMessage: explicitly state static WithCertificate(X509Certificate2) overload requirement
- CertificateOptions XML docs: clarify transport-only semantics (token type depends on request-level config)
- CertificateOptions XML docs: say 'static certificate overload only' instead of generic 'certificate credentials'
- Integration test: add mtlsauth endpoint assertion to verify mTLS transport path was taken

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address remaining review comments: add static-cert-only guard comment, improve cache test clarity

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address review: extract ValidateCertificate, remove dead null check and unused CT param, revert CHANGELOG

- CertificateAndClaimsClientCredential: extract shared ValidateCertificate() to eliminate duplication between ResolveCertificateForMtlsAsync and ResolveCertificateAsync
- CertificateAndClaimsClientCredential: remove unused CancellationToken param from ResolveCertificateForMtlsAsync (CT is already in AssertionRequestOptions)
- MtlsPopParametersInitializer: remove dead null check (ResolveCertificateForMtlsAsync already throws on null)
- MtlsPopParametersInitializer: clarify dynamic cert support in comments
- Revert CHANGELOG.md to match main

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* comment

---------

Co-authored-by: Gladwin Johnson <90415114+gladjohn@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

Author: 3 people

src/client/Microsoft.Identity.Client/ApiConfig/Parameters/MtlsPopParametersInitializer.cs

@@ -35,7 +35,11 @@ internal static async Task TryInitAsync(
 
         /// <summary>
         /// NON-PoP request:
-        /// We may still need mTLS transport if the credential can return a TokenBindingCertificate.
+        /// We may still need mTLS transport in two situations:
+        /// Case 1 – The app-level SendCertificateOverMtls option is set and the credential is certificate-based
+        ///          (both static <see cref="CertificateClientCredential"/> and dynamic
+        ///          <see cref="DynamicCertificateClientCredential"/> are supported).
+        /// Case 2 – The credential is a signed-assertion provider that returns a TokenBindingCertificate.
         /// </summary>
         private static async Task TryInitImplicitBearerOverMtlsAsync(
             AcquireTokenCommonParameters tokenParameters,
@@ -47,7 +51,20 @@ private static async Task TryInitImplicitBearerOverMtlsAsync(
                 return;
             }
 
-            // Only cert-capable credentials implement this capability interface.
+            // Case 1 – App opted into mTLS Bearer via SendCertificateOverMtls on a certificate-based credential.
+            if (serviceBundle.Config.CertificateOptions?.SendCertificateOverMtls == true &&
+                serviceBundle.Config.ClientCredential is CertificateAndClaimsClientCredential certBasedCred)
+            {
+                // Static credentials have Certificate set directly
+                tokenParameters.MtlsCertificate = certBasedCred.Certificate
+                    ?? await certBasedCred.ResolveCertificateForMtlsAsync(
+                           CreateAssertionRequestOptions(tokenParameters, serviceBundle, ct))
+                       .ConfigureAwait(false);
+
+                return;
+            }
+
+            // Case 2 – Only cert-capable credentials implement this capability interface.
             if (serviceBundle.Config.ClientCredential is IClientSignedAssertionProvider signedProvider)
             {
                 var opts = CreateAssertionRequestOptions(tokenParameters, serviceBundle, ct);

src/client/Microsoft.Identity.Client/AppConfig/ApplicationConfiguration.cs

@@ -125,6 +125,7 @@ public string ClientVersion
         public bool IsConfidentialClient { get; }
         public bool IsPublicClient => !IsConfidentialClient && !IsManagedIdentity;
         public string CertificateIdToAssociateWithToken { get; set; }
+        public CertificateOptions CertificateOptions { get; internal set; }
 
         public Func<AppTokenProviderParameters, Task<AppTokenProviderResult>> AppTokenProvider;
 

src/client/Microsoft.Identity.Client/AppConfig/CertificateOptions.cs

@@ -24,5 +24,30 @@ public record CertificateOptions
         /// by default it is set to <see langword="false"/> /></remarks>
         /// </summary>
         public bool AssociateTokensWithCertificate { get; init; } = false;
+
+        /// <summary>
+        /// Gets or sets a value indicating whether the certificate should be sent over mTLS
+        /// (TLS client certificate authentication) as the default transport for token requests.
+        /// When <see langword="true"/>, the certificate is sent in the TLS handshake instead of as a
+        /// JWT assertion in the request body. This controls transport only — the resulting token type
+        /// depends on request-level configuration: a plain request produces a Bearer token, while
+        /// <see cref="AcquireTokenForClientParameterBuilder.WithMtlsProofOfPossession"/> produces
+        /// an mTLS PoP token.
+        /// When <see langword="false"/> (default), the certificate is sent as a JWT assertion in the request body.
+        /// </summary>
+        /// <remarks>
+        /// <para>This property sets the default transport for requests that do not explicitly call
+        /// <see cref="AcquireTokenForClientParameterBuilder.WithMtlsProofOfPossession"/>.</para>
+        /// <para>Request-level <see cref="AcquireTokenForClientParameterBuilder.WithMtlsProofOfPossession"/>
+        /// always implies mTLS transport, regardless of this setting.</para>
+        /// <para>This option is supported with certificate-based credentials configured via
+        /// <see cref="ConfidentialClientApplicationBuilder.WithCertificate(System.Security.Cryptography.X509Certificates.X509Certificate2, CertificateOptions)"/>
+        /// (static certificate) or the dynamic certificate provider overload.
+        /// Non-certificate credentials will throw at build time.</para>
+        /// <para>When no Azure region is configured, requests are sent to the global mTLS endpoint.
+        /// When <see cref="ConfidentialClientApplicationBuilder.WithAzureRegion(string)"/> is also set,
+        /// requests are routed to the regional mTLS endpoint instead.</para>
+        /// </remarks>
+        public bool SendCertificateOverMtls { get; init; } = false;
     }
 }

src/client/Microsoft.Identity.Client/AppConfig/ConfidentialClientApplicationBuilder.cs

@@ -163,7 +163,8 @@ public ConfidentialClientApplicationBuilder WithCertificate(X509Certificate2 cer
 
             Config.ClientCredential = new CertificateClientCredential(certificate);
             Config.SendX5C = certificateOptions?.SendX5C ?? false;
-            
+            Config.CertificateOptions = certificateOptions;
+
             return this;
         }
 
@@ -476,6 +477,16 @@ internal override void Validate()
             }
 
             ValidateAndUpdateRegion();
+
+            // SendCertificateOverMtls is only supported with certificate-based credentials
+            // (both static WithCertificate(X509Certificate2, ...) and dynamic WithCertificate(Func<...>, ...)).
+            if (Config.CertificateOptions?.SendCertificateOverMtls == true
+                && Config.ClientCredential is not CertificateAndClaimsClientCredential)
+            {
+                throw new MsalClientException(
+                    MsalError.InvalidCredentialMaterial,
+                    MsalErrorMessage.SendCertificateOverMtlsRequiresCertificate);
+            }
         }
 
         private void ValidateAndUpdateRegion()

src/client/Microsoft.Identity.Client/Extensibility/ConfidentialClientApplicationBuilderExtensions.cs

@@ -75,6 +75,7 @@ public static ConfidentialClientApplicationBuilder WithCertificate(
                 certificateProvider: certificateProvider);
 
             builder.Config.SendX5C = certificateOptions?.SendX5C ?? false;
+            builder.Config.CertificateOptions = certificateOptions;
 
             return builder;
         }

src/client/Microsoft.Identity.Client/Internal/ClientCredential/CertificateAndClaimsClientCredential.cs

@@ -99,6 +99,24 @@ public async Task<CredentialMaterial> GetCredentialMaterialAsync(
             return new CredentialMaterial(parameters, certificate);
         }
 
+        /// <summary>
+        /// Resolves the certificate for use as an mTLS transport credential, without building a full
+        /// JWT client assertion. Invokes the provider delegate (which may be a static lambda or a
+        /// true async callback) and validates the result.
+        /// Called by <see cref="Microsoft.Identity.Client.ApiConfig.Parameters.MtlsPopParametersInitializer"/>
+        /// for the implicit Bearer-over-mTLS path when
+        /// <see cref="AppConfig.CertificateOptions.SendCertificateOverMtls"/> is <see langword="true"/>.
+        /// </summary>
+        internal async Task<X509Certificate2> ResolveCertificateForMtlsAsync(
+            AssertionRequestOptions options)
+        {
+            X509Certificate2 certificate = await _certificateProvider(options).ConfigureAwait(false);
+
+            ValidateCertificate(certificate);
+
+            return certificate;
+        }
+
         /// <summary>
         /// Resolves the certificate to use for signing the client assertion.
         /// Invokes the certificate provider delegate to get the certificate.
@@ -122,11 +140,22 @@ private async Task<X509Certificate2> ResolveCertificateAsync(
             // Invoke the provider to get the certificate
             X509Certificate2 certificate = await _certificateProvider(options).ConfigureAwait(false);
 
-            // Validate the certificate returned by the provider
+            ValidateCertificate(certificate);
+
+            context.Logger.Verbose(
+                () => $"[CertificateAndClaimsClientCredential] Certificate resolved. " +
+                      $"Thumbprint: {certificate.Thumbprint}");
+
+            return certificate;
+        }
+
+        /// <summary>
+        /// Validates that the certificate is non-null and has a private key.
+        /// </summary>
+        private static void ValidateCertificate(X509Certificate2 certificate)
+        {
             if (certificate == null)
             {
-                context.Logger.Error("[CertificateAndClaimsClientCredential] Certificate provider returned null.");
-
                 throw new MsalClientException(
                     MsalError.InvalidClientAssertion,
                     "The certificate provider callback returned null. Ensure the callback returns a valid X509Certificate2 instance.");
@@ -136,28 +165,18 @@ private async Task<X509Certificate2> ResolveCertificateAsync(
             {
                 if (!certificate.HasPrivateKey)
                 {
-                    context.Logger.Error("[CertificateAndClaimsClientCredential] The certificate does not have a private key.");
-
                     throw new MsalClientException(
                         MsalError.CertWithoutPrivateKey,
                         MsalErrorMessage.CertMustHavePrivateKey(certificate.FriendlyName));
                 }
             }
             catch (System.Security.Cryptography.CryptographicException ex)
             {
-                context.Logger.Error("[CertificateAndClaimsClientCredential] A cryptographic error occurred while accessing the certificate.");
-
                 throw new MsalClientException(
                     MsalError.CryptographicError,
                     MsalErrorMessage.CryptographicError,
                     ex);
             }
-
-            context.Logger.Verbose(
-                () => $"[CertificateAndClaimsClientCredential] Certificate resolved. " +
-                      $"Thumbprint: {certificate.Thumbprint}");
-
-            return certificate;
         }
     }
 }

src/client/Microsoft.Identity.Client/MsalError.cs

@@ -1259,10 +1259,11 @@ public static class MsalError
         /// <summary>
         /// <para>What happened?</para> The configured credential type is not compatible with the
         /// requested authentication mode. For example, a client secret cannot be used with mTLS
-        /// Proof-of-Possession because mTLS requires a certificate to bind the token to the TLS transport.
-        /// <para>Mitigation:</para> Use a certificate-based credential or a delegate that returns a
-        /// <see cref="ClientSignedAssertion"/> with a <see cref="ClientSignedAssertion.TokenBindingCertificate"/>
-        /// when mTLS Proof-of-Possession is required.
+        /// Proof-of-Possession or <c>SendCertificateOverMtls</c> because mTLS requires a certificate
+        /// to bind the token to the TLS transport.
+        /// <para>Mitigation:</para> Use a certificate-based credential via <c>WithCertificate()</c>,
+        /// or a delegate that returns a <see cref="ClientSignedAssertion"/> with a
+        /// <see cref="ClientSignedAssertion.TokenBindingCertificate"/> when mTLS Proof-of-Possession is required.
         /// </summary>
         public const string InvalidCredentialMaterial = "invalid_credential_material";
     }

src/client/Microsoft.Identity.Client/MsalErrorMessage.cs

@@ -455,5 +455,10 @@ public static string InvalidTokenProviderResponseValue(string invalidValueName)
         public const string CannotSwitchBetweenImdsVersionsForPreview = "ImdsV2 is currently experimental - A Bearer token has already been received; Please restart the application to receive a mTLS PoP token.";
         public const string MtlsPopTokenNotSupportedinImdsV1 = "mTLS Proof of Possession with managed identity is currently in private preview and is not supported on this VM. Ensure you're running on a supported VM image.";
         public const string ManagedIdentityAllSourcesUnavailable = "All Managed Identity sources are unavailable.";
+        public const string SendCertificateOverMtlsRequiresCertificate =
+            "CertificateOptions.SendCertificateOverMtls is only valid with a certificate-based credential " +
+            "configured via WithCertificate(). Non-certificate credentials (client secrets, static signed " +
+            "assertions, and string-returning assertion delegates) are not supported. " +
+            "Remove SendCertificateOverMtls or switch to a certificate credential.";
     }
 }

src/client/Microsoft.Identity.Client/PublicApi/net462/PublicAPI.Unshipped.txt

@@ -1,3 +1,5 @@
-Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.get -> System.Guid
-Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.set -> void
 const Microsoft.Identity.Client.MsalError.InvalidCredentialMaterial = "invalid_credential_material" -> string
+Microsoft.Identity.Client.AppConfig.CertificateOptions.SendCertificateOverMtls.get -> bool
+Microsoft.Identity.Client.AppConfig.CertificateOptions.SendCertificateOverMtls.init -> void
+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.get -> System.Guid
+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.set -> void

src/client/Microsoft.Identity.Client/PublicApi/net472/PublicAPI.Unshipped.txt

@@ -1,3 +1,5 @@
-Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.get -> System.Guid
-Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.set -> void
 const Microsoft.Identity.Client.MsalError.InvalidCredentialMaterial = "invalid_credential_material" -> string
+Microsoft.Identity.Client.AppConfig.CertificateOptions.SendCertificateOverMtls.get -> bool
+Microsoft.Identity.Client.AppConfig.CertificateOptions.SendCertificateOverMtls.init -> void
+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.get -> System.Guid
+Microsoft.Identity.Client.AssertionRequestOptions.CorrelationId.set -> void