From fa2a58a513bf5c36bc189696b43da874b8556b5b Mon Sep 17 00:00:00 2001 From: Ryan Auld Date: Thu, 21 May 2026 10:48:46 -0700 Subject: [PATCH 1/3] Migrate OBO tests from old lab to ID4SLAB1 - Switch OBO confidential client from client secret to LabAuth cert (msidlabs vault) - Replace AppWebApi with new AppOBOService (MSAL-APP-TodoListService) in ID4SLAB1 - Add KeyVaultSecrets.AppOBOService and AppOBOClient constants - Enable SN+I (sendX5C) for regional endpoint test - Remove commented-out old app ID references Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../LabInfra/KeyVaultSecrets.cs | 19 ++++++++++ .../PublicAPI.Unshipped.txt | 4 ++ .../LongRunningOnBehalfOfTests.cs | 26 +++++++------ .../HeadlessTests/OnBehalfOfTests.cs | 37 ++++++++++--------- 4 files changed, 57 insertions(+), 29 deletions(-) diff --git a/src/client/Microsoft.Identity.Lab.Api/LabInfra/KeyVaultSecrets.cs b/src/client/Microsoft.Identity.Lab.Api/LabInfra/KeyVaultSecrets.cs index 38b7d02170..54d50ae6b4 100644 --- a/src/client/Microsoft.Identity.Lab.Api/LabInfra/KeyVaultSecrets.cs +++ b/src/client/Microsoft.Identity.Lab.Api/LabInfra/KeyVaultSecrets.cs @@ -79,10 +79,29 @@ public static class KeyVaultSecrets /// public const string MsalAppAzureAdMultipleOrgsRegional = "MSAL-APP-AzureADMultipleOrgsRegional-JSON"; /// + /// Multiple orgs app in public cloud (id4slab1 tenant). Used for client credentials and regional token acquisition tests. + /// + public const string MsalAppAzureAdMultipleOrgs = "MSAL-APP-AzureADMultipleOrgs-JSON"; + /// + /// Regional app in id4slab1 tenant with SN+I claims (xms_idrel, xms_ds_cnf). Used for regional ESTS token acquisition tests. + /// + public const string MsalAppRegion = "MSAL-App-Region-JSON"; + /// /// Represents the application identifier used for Arlington CCA test scenarios in the MSAL App Arlington CCA JSON configuration. /// public const string MsalAppArlingtonCCA = "MSAL-App-ArlingtonCCA-JSON"; + /// + /// OBO service app (MSAL-APP-TodoListService) in ID4SLAB1 tenant. Used for On-Behalf-Of flow integration tests + /// with certificate-based authentication (LabAuth cert from msidlabs vault). + /// + public const string AppOBOService = "MSAL-APP-TodoListService-JSON"; + /// + /// OBO public client app (MSAL-APP-TodoListClient) in ID4SLAB1 tenant. Used as the public client + /// that acquires user tokens for On-Behalf-Of flow integration tests. + /// + public const string AppOBOClient = "MSAL-APP-TodoListClient-JSON"; + // Name of key vault secrets for app secrets and certificates /// /// default secret value used for testing application authentication scenarios that require a client secret. This secret is typically associated with a test application registered in Azure Active Directory and is used to validate authentication flows that involve client credentials or other secret-based authentication methods. diff --git a/src/client/Microsoft.Identity.Lab.Api/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Lab.Api/PublicAPI.Unshipped.txt index 5442e839b2..8528b3f9bc 100644 --- a/src/client/Microsoft.Identity.Lab.Api/PublicAPI.Unshipped.txt +++ b/src/client/Microsoft.Identity.Lab.Api/PublicAPI.Unshipped.txt @@ -14,6 +14,8 @@ const Microsoft.Identity.Test.Common.TestCategories.UnifiedSchemaValidation = "U const Microsoft.Identity.Test.LabInfrastructure.KeyVaultInstance.MsalTeam = "https://id4skeyvault.vault.azure.net/" -> string const Microsoft.Identity.Test.LabInfrastructure.KeyVaultInstance.MSIDLab = "https://msidlabs.vault.azure.net" -> string const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.AppAdfsNativeClient = "App-AdfsNativeClient-Config" -> string +const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.AppOBOClient = "MSAL-APP-TodoListClient-JSON" -> string +const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.AppOBOService = "MSAL-APP-TodoListService-JSON" -> string const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.AppPCAClient = "App-PCAClient-Config" -> string const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.AppS2S = "App-S2S-Config" -> string const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.AppWebApi = "App-WebApi-Config" -> string @@ -21,7 +23,9 @@ const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.ArlAppIdLabsApp const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.B2CAppIdLabsAppB2C = "MSAL-App-B2C-JSON" -> string const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.DefaultAppSecret = "MSAL-App-Default" -> string const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.MsalAppArlingtonCCA = "MSAL-App-ArlingtonCCA-JSON" -> string +const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.MsalAppAzureAdMultipleOrgs = "MSAL-APP-AzureADMultipleOrgs-JSON" -> string const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.MsalAppAzureAdMultipleOrgsRegional = "MSAL-APP-AzureADMultipleOrgsRegional-JSON" -> string +const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.MsalAppRegion = "MSAL-App-Region-JSON" -> string const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.MsalAppCiam = "MSAL-App-CIAM-JSON" -> string const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.UserArlington = "MSAL-USER-Arlington-JSON" -> string const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.UserB2C = "MSAL-USER-B2C-JSON" -> string diff --git a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/LongRunningOnBehalfOfTests.cs b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/LongRunningOnBehalfOfTests.cs index bea98477e3..1b56a64cdb 100644 --- a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/LongRunningOnBehalfOfTests.cs +++ b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/LongRunningOnBehalfOfTests.cs @@ -1,9 +1,10 @@ -// Copyright (c) Microsoft Corporation. All rights reserved. +// Copyright (c) Microsoft Corporation. All rights reserved. // Licensed under the MIT License. using System; using System.Linq; using System.Net; +using System.Security.Cryptography.X509Certificates; using System.Threading; using System.Threading.Tasks; using Microsoft.Identity.Client; @@ -22,18 +23,19 @@ public class LongRunningOnBehalfOfTests { private static readonly string[] s_scopes = { "User.Read" }; - private string _confidentialClientSecret; + private X509Certificate2 _labAuthCert; private readonly KeyVaultSecretsProvider _keyVault = new KeyVaultSecretsProvider(KeyVaultInstance.MsalTeam); + private readonly KeyVaultSecretsProvider _keyVaultMsidLab = new KeyVaultSecretsProvider(KeyVaultInstance.MSIDLab); #region Test Hooks [TestInitialize] - public void TestInitialize() + public async Task TestInitializeAsync() { ApplicationBase.ResetStateForTest(); - if (string.IsNullOrEmpty(_confidentialClientSecret)) + if (_labAuthCert is null) { - _confidentialClientSecret = _keyVault.GetSecretByName(TestConstants.MsalOBOKeyVaultSecretName).Value; + _labAuthCert = await _keyVaultMsidLab.GetCertificateWithPrivateMaterialAsync("LabAuth").ConfigureAwait(false); } } @@ -51,7 +53,7 @@ public async Task LongRunningAndNormalObo_WithDifferentKeys_TestAsync() { var user1 = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false); var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false); - var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false); + var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false); var pca = PublicClientApplicationBuilder .Create(app.AppId) @@ -106,7 +108,7 @@ public async Task LongRunningThenNormalObo_WithTheSameKey_TestAsync() { var user1 = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false); var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false); - var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false); + var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false); var pca = PublicClientApplicationBuilder .Create(app.AppId) @@ -182,7 +184,7 @@ public async Task InitiateLRWithCustomKey_ThenAcquireLRWithSameKey_Succeeds_Test // Arrange var user1 = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false); var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false); - var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false); + var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false); IPublicClientApplication pca = PublicClientApplicationBuilder .Create(app.AppId) @@ -256,7 +258,7 @@ public async Task NormalOboThenLongRunningAcquire_WithTheSameKey_TestAsync() { var user1 = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false); var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false); - var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false); + var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false); var pca = PublicClientApplicationBuilder .Create(app.AppId) @@ -330,7 +332,7 @@ public async Task NormalOboThenLongRunningInitiate_WithTheSameKey_TestAsync() { var user1 = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false); var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false); - var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false); + var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false); var pca = PublicClientApplicationBuilder .Create(app.AppId) @@ -389,7 +391,7 @@ public async Task WithDifferentScopes_TestAsync() { var user1 = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false); var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false); - var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false); + var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false); var pca = PublicClientApplicationBuilder .Create(app.AppId) @@ -442,7 +444,7 @@ private ConfidentialClientApplication BuildCCA(string tenantId, string appId) var builder = ConfidentialClientApplicationBuilder .Create(appId) .WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}"), true) - .WithClientSecret(_confidentialClientSecret) + .WithCertificate(_labAuthCert) .WithLegacyCacheCompatibility(false); return builder.BuildConcrete(); diff --git a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/OnBehalfOfTests.cs b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/OnBehalfOfTests.cs index f74618e46c..12993de2ed 100644 --- a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/OnBehalfOfTests.cs +++ b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/OnBehalfOfTests.cs @@ -1,10 +1,11 @@ -// Copyright (c) Microsoft Corporation. All rights reserved. +// Copyright (c) Microsoft Corporation. All rights reserved. // Licensed under the MIT License. using System; using System.Collections.Generic; using System.Linq; using System.Net; +using System.Security.Cryptography.X509Certificates; using System.Threading; using System.Threading.Tasks; using Microsoft.Identity.Client; @@ -24,11 +25,9 @@ namespace Microsoft.Identity.Test.Integration.HeadlessTests public class OnBehalfOfTests { private static readonly string[] s_scopes = { "User.Read" }; - //private static readonly string[] s_oboServiceScope = { "api://23c64cd8-21e4-41dd-9756-ab9e2c23f58c/access_as_user" }; - //const string OboConfidentialClientID = "23c64cd8-21e4-41dd-9756-ab9e2c23f58c"; private static InMemoryTokenCache s_inMemoryTokenCache = new InMemoryTokenCache(); - private string _confidentialClientSecret; + private X509Certificate2 _labAuthCert; private readonly KeyVaultSecretsProvider _keyVault = new KeyVaultSecretsProvider(KeyVaultInstance.MsalTeam); private readonly KeyVaultSecretsProvider _keyVaultMsidLab = new KeyVaultSecretsProvider(KeyVaultInstance.MSIDLab); @@ -36,12 +35,12 @@ public class OnBehalfOfTests #region Test Hooks [TestInitialize] - public void TestInitialize() + public async Task TestInitializeAsync() { ApplicationBase.ResetStateForTest(); - if (string.IsNullOrEmpty(_confidentialClientSecret)) + if (_labAuthCert is null) { - _confidentialClientSecret = _keyVault.GetSecretByName(TestConstants.MsalOBOKeyVaultSecretName).Value; + _labAuthCert = await _keyVaultMsidLab.GetCertificateWithPrivateMaterialAsync("LabAuth").ConfigureAwait(false); } } @@ -61,7 +60,7 @@ public async Task OboAndSilent_ReturnsCorrectTokens_TestAsync(bool serializeCach var user1 = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false); var user2 = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud2).ConfigureAwait(false); var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false); - var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false); + var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false); var partitionedInMemoryTokenCache = new InMemoryPartitionedTokenCache(); var nonPartitionedInMemoryTokenCache = new InMemoryTokenCache(); @@ -152,7 +151,7 @@ IConfidentialClientApplication CreateCCA() var app = ConfidentialClientApplicationBuilder .Create(appApi.AppId) .WithAuthority(new Uri($"https://login.microsoftonline.com/{user1AuthResult.TenantId}"), true) - .WithClientSecret(_confidentialClientSecret) + .WithCertificate(_labAuthCert) .WithLegacyCacheCompatibility(false) .Build(); @@ -182,7 +181,7 @@ public async Task OboAndClientCredentials_WithRegional_ReturnsCorrectTokens_Test // Setup: Get lab user, create PCA and get user tokens var user = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false); var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false); - var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false); + var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false); // Use the correct public client ID from KeyVault for all tests var publicClientId = app.AppId; @@ -305,7 +304,7 @@ public async Task WithCache_TestAsync() { var user = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false); var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false); - var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false); + var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false); var factory = new HttpSnifferClientFactory(); @@ -325,7 +324,7 @@ public async Task WithCache_TestAsync() var confidentialApp = ConfidentialClientApplicationBuilder .Create(appApi.AppId) .WithAuthority(new Uri("https://login.microsoftonline.com/" + authResult.TenantId), true) - .WithClientSecret(_confidentialClientSecret) + .WithCertificate(_labAuthCert) .WithTestLogging() .BuildConcrete(); @@ -378,7 +377,7 @@ public async Task WithCache_TestAsync() var confidentialApp2 = ConfidentialClientApplicationBuilder .Create(appApi.AppId) .WithAuthority(new Uri("https://login.microsoftonline.com/" + authResult.TenantId), true) - .WithClientSecret(_confidentialClientSecret) + .WithCertificate(_labAuthCert) .WithTestLogging() .WithHttpClientFactory(factory) .BuildConcrete(); @@ -438,7 +437,7 @@ private async Task RunOnBehalfOfTestAsync( multiTenantAppId = app.AppId; } - var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false); + var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false); var pca = PublicClientApplicationBuilder .Create(multiTenantAppId) @@ -475,7 +474,7 @@ private async Task RunOnBehalfOfTestAsync( .Create(appApi.AppId) .WithAuthority(new Uri("https://login.microsoftonline.com/" + authResult.TenantId), true) .WithTestLogging(out HttpSnifferClientFactory factory) - .WithClientSecret(_confidentialClientSecret) + .WithCertificate(_labAuthCert) .Build(); s_inMemoryTokenCache.Bind(cca.UserTokenCache); @@ -523,20 +522,24 @@ void AssertExtraHttpHeadersAreSent(HttpSnifferClientFactory factory) private async Task BuildCcaAsync(string tenantId, bool withRegion = false) { var appConfig = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false); - var appApiConfig = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false); + var appApiConfig = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false); string secret = LabResponseHelper.FetchSecretString(appConfig.SecretName, LabResponseHelper.KeyVaultSecretsProviderMsal); var builder = ConfidentialClientApplicationBuilder .Create(withRegion ? appApiConfig.AppId : appConfig.AppId) .WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}"), true) - .WithClientSecret(withRegion ? _confidentialClientSecret : secret) .WithLegacyCacheCompatibility(false); if (withRegion) { builder + .WithCertificate(_labAuthCert, true) .WithAzureRegion(TestConstants.Region); } + else + { + builder.WithClientSecret(secret); + } return builder.BuildConcrete(); } From 69656d5af0c0e46f19b7f56d7a3bf2679aa1959a Mon Sep 17 00:00:00 2001 From: Ryan Auld Date: Thu, 21 May 2026 16:15:51 -0700 Subject: [PATCH 2/3] Remove unused _keyVault field from OBO test classes Addresses Copilot review feedback: _keyVault (MsalTeam instance) is no longer referenced after switching to _keyVaultMsidLab for LabAuth cert. Removing to avoid CS0169 warning with TreatWarningsAsErrors. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../HeadlessTests/LongRunningOnBehalfOfTests.cs | 1 - .../HeadlessTests/OnBehalfOfTests.cs | 14 +++----------- 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/LongRunningOnBehalfOfTests.cs b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/LongRunningOnBehalfOfTests.cs index 1b56a64cdb..67809e191a 100644 --- a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/LongRunningOnBehalfOfTests.cs +++ b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/LongRunningOnBehalfOfTests.cs @@ -25,7 +25,6 @@ public class LongRunningOnBehalfOfTests private X509Certificate2 _labAuthCert; - private readonly KeyVaultSecretsProvider _keyVault = new KeyVaultSecretsProvider(KeyVaultInstance.MsalTeam); private readonly KeyVaultSecretsProvider _keyVaultMsidLab = new KeyVaultSecretsProvider(KeyVaultInstance.MSIDLab); #region Test Hooks diff --git a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/OnBehalfOfTests.cs b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/OnBehalfOfTests.cs index 12993de2ed..568f26a791 100644 --- a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/OnBehalfOfTests.cs +++ b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/OnBehalfOfTests.cs @@ -29,7 +29,6 @@ public class OnBehalfOfTests private static InMemoryTokenCache s_inMemoryTokenCache = new InMemoryTokenCache(); private X509Certificate2 _labAuthCert; - private readonly KeyVaultSecretsProvider _keyVault = new KeyVaultSecretsProvider(KeyVaultInstance.MsalTeam); private readonly KeyVaultSecretsProvider _keyVaultMsidLab = new KeyVaultSecretsProvider(KeyVaultInstance.MSIDLab); #region Test Hooks @@ -521,24 +520,17 @@ void AssertExtraHttpHeadersAreSent(HttpSnifferClientFactory factory) private async Task BuildCcaAsync(string tenantId, bool withRegion = false) { - var appConfig = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false); var appApiConfig = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false); - string secret = LabResponseHelper.FetchSecretString(appConfig.SecretName, LabResponseHelper.KeyVaultSecretsProviderMsal); var builder = ConfidentialClientApplicationBuilder - .Create(withRegion ? appApiConfig.AppId : appConfig.AppId) + .Create(appApiConfig.AppId) .WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}"), true) + .WithCertificate(_labAuthCert, true) .WithLegacyCacheCompatibility(false); if (withRegion) { - builder - .WithCertificate(_labAuthCert, true) - .WithAzureRegion(TestConstants.Region); - } - else - { - builder.WithClientSecret(secret); + builder.WithAzureRegion(TestConstants.Region); } return builder.BuildConcrete(); From 9907ff9e972b54db7178d11b6f338afdcc530c5f Mon Sep 17 00:00:00 2001 From: Ryan Auld Date: Wed, 27 May 2026 10:24:03 -0700 Subject: [PATCH 3/3] Remove unused MsalAppRegion and MsalAppAzureAdMultipleOrgs constants The regional test already uses AppOBOService (TodoListService) via BuildCcaAsync, making these dedicated region app constants dead code. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../LabInfra/KeyVaultSecrets.cs | 8 -------- .../Microsoft.Identity.Lab.Api/PublicAPI.Unshipped.txt | 2 -- 2 files changed, 10 deletions(-) diff --git a/src/client/Microsoft.Identity.Lab.Api/LabInfra/KeyVaultSecrets.cs b/src/client/Microsoft.Identity.Lab.Api/LabInfra/KeyVaultSecrets.cs index 54d50ae6b4..ed9f82c191 100644 --- a/src/client/Microsoft.Identity.Lab.Api/LabInfra/KeyVaultSecrets.cs +++ b/src/client/Microsoft.Identity.Lab.Api/LabInfra/KeyVaultSecrets.cs @@ -79,14 +79,6 @@ public static class KeyVaultSecrets /// public const string MsalAppAzureAdMultipleOrgsRegional = "MSAL-APP-AzureADMultipleOrgsRegional-JSON"; /// - /// Multiple orgs app in public cloud (id4slab1 tenant). Used for client credentials and regional token acquisition tests. - /// - public const string MsalAppAzureAdMultipleOrgs = "MSAL-APP-AzureADMultipleOrgs-JSON"; - /// - /// Regional app in id4slab1 tenant with SN+I claims (xms_idrel, xms_ds_cnf). Used for regional ESTS token acquisition tests. - /// - public const string MsalAppRegion = "MSAL-App-Region-JSON"; - /// /// Represents the application identifier used for Arlington CCA test scenarios in the MSAL App Arlington CCA JSON configuration. /// public const string MsalAppArlingtonCCA = "MSAL-App-ArlingtonCCA-JSON"; diff --git a/src/client/Microsoft.Identity.Lab.Api/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Lab.Api/PublicAPI.Unshipped.txt index 8528b3f9bc..b888d02b2b 100644 --- a/src/client/Microsoft.Identity.Lab.Api/PublicAPI.Unshipped.txt +++ b/src/client/Microsoft.Identity.Lab.Api/PublicAPI.Unshipped.txt @@ -23,9 +23,7 @@ const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.ArlAppIdLabsApp const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.B2CAppIdLabsAppB2C = "MSAL-App-B2C-JSON" -> string const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.DefaultAppSecret = "MSAL-App-Default" -> string const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.MsalAppArlingtonCCA = "MSAL-App-ArlingtonCCA-JSON" -> string -const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.MsalAppAzureAdMultipleOrgs = "MSAL-APP-AzureADMultipleOrgs-JSON" -> string const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.MsalAppAzureAdMultipleOrgsRegional = "MSAL-APP-AzureADMultipleOrgsRegional-JSON" -> string -const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.MsalAppRegion = "MSAL-App-Region-JSON" -> string const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.MsalAppCiam = "MSAL-App-CIAM-JSON" -> string const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.UserArlington = "MSAL-USER-Arlington-JSON" -> string const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.UserB2C = "MSAL-USER-B2C-JSON" -> string