Task type
Development
Description
Currently MtlsPopParametersInitializer.InitExplicitMtlsPopAsync handles:
- CertificateClientCredential — uses static Certificate property
- IClientSignedAssertionProvider — calls GetAssertionAsync for the cert
- Everything else — throws
DynamicCertificateClientCredential (backing WithCertificate(() => x509)) matches none of these cases, so .WithMtlsProofOfPossession() throws at preflight.
Solution
Fix: Add a case in InitExplicitMtlsPopAsync for CertificateAndClaimsClientCredential (the base class) — call its provider to resolve the cert, then pass it to InitMtlsPopParameters. Same for TryInitImplicitBearerOverMtlsAsync.
The credential material path already handles mTLS mode correctly (returns empty params + cert). Only the preflight needs wiring.
Scope: MtlsPopParametersInitializer.cs + tests. Feature branch recommended.
Task type
Development
Description
Currently MtlsPopParametersInitializer.InitExplicitMtlsPopAsync handles:
DynamicCertificateClientCredential (backing WithCertificate(() => x509)) matches none of these cases, so .WithMtlsProofOfPossession() throws at preflight.
Solution
Fix: Add a case in InitExplicitMtlsPopAsync for CertificateAndClaimsClientCredential (the base class) — call its provider to resolve the cert, then pass it to InitMtlsPopParameters. Same for TryInitImplicitBearerOverMtlsAsync.
The credential material path already handles mTLS mode correctly (returns empty params + cert). Only the preflight needs wiring.
Scope: MtlsPopParametersInitializer.cs + tests. Feature branch recommended.