AzureAD · RyAuld · May 21, 2026 · May 21, 2026 · May 27, 2026 · May 27, 2026
@@ -83,6 +83,17 @@ public static class KeyVaultSecrets
         /// </summary>
         public const string MsalAppArlingtonCCA = "MSAL-App-ArlingtonCCA-JSON";
 
+        /// <summary>
+        /// OBO service app (MSAL-APP-TodoListService) in ID4SLAB1 tenant. Used for On-Behalf-Of flow integration tests
+        /// with certificate-based authentication (LabAuth cert from msidlabs vault).
+        /// </summary>
+        public const string AppOBOService = "MSAL-APP-TodoListService-JSON";
+        /// <summary>
+        /// OBO public client app (MSAL-APP-TodoListClient) in ID4SLAB1 tenant. Used as the public client
+        /// that acquires user tokens for On-Behalf-Of flow integration tests.
+        /// </summary>
+        public const string AppOBOClient = "MSAL-APP-TodoListClient-JSON";
+
         // Name of key vault secrets for app secrets and certificates
         /// <summary>
         /// default secret value used for testing application authentication scenarios that require a client secret. This secret is typically associated with a test application registered in Azure Active Directory and is used to validate authentication flows that involve client credentials or other secret-based authentication methods.

@@ -14,6 +14,8 @@ const Microsoft.Identity.Test.Common.TestCategories.UnifiedSchemaValidation = "U
 const Microsoft.Identity.Test.LabInfrastructure.KeyVaultInstance.MsalTeam = "https://id4skeyvault.vault.azure.net/" -> string
 const Microsoft.Identity.Test.LabInfrastructure.KeyVaultInstance.MSIDLab = "https://msidlabs.vault.azure.net" -> string
 const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.AppAdfsNativeClient = "App-AdfsNativeClient-Config" -> string
+const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.AppOBOClient = "MSAL-APP-TodoListClient-JSON" -> string
+const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.AppOBOService = "MSAL-APP-TodoListService-JSON" -> string
 const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.AppPCAClient = "App-PCAClient-Config" -> string
 const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.AppS2S = "App-S2S-Config" -> string
 const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.AppWebApi = "App-WebApi-Config" -> string

@@ -1,9 +1,10 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
 using System;
 using System.Linq;
 using System.Net;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Identity.Client;
@@ -22,18 +23,18 @@ public class LongRunningOnBehalfOfTests
     {
         private static readonly string[] s_scopes = { "User.Read" };
 
-        private string _confidentialClientSecret;
+        private X509Certificate2 _labAuthCert;
 
-        private readonly KeyVaultSecretsProvider _keyVault = new KeyVaultSecretsProvider(KeyVaultInstance.MsalTeam);
+        private readonly KeyVaultSecretsProvider _keyVaultMsidLab = new KeyVaultSecretsProvider(KeyVaultInstance.MSIDLab);
 
         #region Test Hooks
         [TestInitialize]
-        public void TestInitialize()
+        public async Task TestInitializeAsync()
         {
             ApplicationBase.ResetStateForTest();
-            if (string.IsNullOrEmpty(_confidentialClientSecret))
+            if (_labAuthCert is null)
             {
-                _confidentialClientSecret = _keyVault.GetSecretByName(TestConstants.MsalOBOKeyVaultSecretName).Value;
+                _labAuthCert = await _keyVaultMsidLab.GetCertificateWithPrivateMaterialAsync("LabAuth").ConfigureAwait(false);
             }
         }
 
@@ -51,7 +52,7 @@ public async Task LongRunningAndNormalObo_WithDifferentKeys_TestAsync()
         {
             var user1 = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false);
             var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false);
-            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false);
+            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false);
 
             var pca = PublicClientApplicationBuilder
                 .Create(app.AppId)
@@ -106,7 +107,7 @@ public async Task LongRunningThenNormalObo_WithTheSameKey_TestAsync()
         {
             var user1 = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false);
             var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false);
-            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false);
+            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false);
 
             var pca = PublicClientApplicationBuilder
                 .Create(app.AppId)
@@ -182,7 +183,7 @@ public async Task InitiateLRWithCustomKey_ThenAcquireLRWithSameKey_Succeeds_Test
             // Arrange
             var user1 = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false);
             var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false);
-            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false);
+            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false);
 
             IPublicClientApplication pca = PublicClientApplicationBuilder
                 .Create(app.AppId)
@@ -256,7 +257,7 @@ public async Task NormalOboThenLongRunningAcquire_WithTheSameKey_TestAsync()
         {
             var user1 = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false);
             var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false);
-            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false);
+            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false);
 
             var pca = PublicClientApplicationBuilder
                 .Create(app.AppId)
@@ -330,7 +331,7 @@ public async Task NormalOboThenLongRunningInitiate_WithTheSameKey_TestAsync()
         {
             var user1 = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false);
             var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false);
-            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false);
+            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false);
 
             var pca = PublicClientApplicationBuilder
                 .Create(app.AppId)
@@ -389,7 +390,7 @@ public async Task WithDifferentScopes_TestAsync()
         {
             var user1 = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false);
             var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false);
-            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false);
+            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false);
 
             var pca = PublicClientApplicationBuilder
                 .Create(app.AppId)
@@ -442,7 +443,7 @@ private ConfidentialClientApplication BuildCCA(string tenantId, string appId)
             var builder = ConfidentialClientApplicationBuilder
              .Create(appId)
              .WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}"), true)
-             .WithClientSecret(_confidentialClientSecret)
+             .WithCertificate(_labAuthCert)
              .WithLegacyCacheCompatibility(false);
 
             return builder.BuildConcrete();

@@ -1,10 +1,11 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
 using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Net;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Identity.Client;
@@ -24,24 +25,21 @@ namespace Microsoft.Identity.Test.Integration.HeadlessTests
     public class OnBehalfOfTests
     {
         private static readonly string[] s_scopes = { "User.Read" };
-        //private static readonly string[] s_oboServiceScope = { "api://23c64cd8-21e4-41dd-9756-ab9e2c23f58c/access_as_user" };
-        //const string OboConfidentialClientID = "23c64cd8-21e4-41dd-9756-ab9e2c23f58c";
 
         private static InMemoryTokenCache s_inMemoryTokenCache = new InMemoryTokenCache();
-        private string _confidentialClientSecret;
+        private X509Certificate2 _labAuthCert;
 
-        private readonly KeyVaultSecretsProvider _keyVault = new KeyVaultSecretsProvider(KeyVaultInstance.MsalTeam);
         private readonly KeyVaultSecretsProvider _keyVaultMsidLab = new KeyVaultSecretsProvider(KeyVaultInstance.MSIDLab);
 
         #region Test Hooks
 
         [TestInitialize]
-        public void TestInitialize()
+        public async Task TestInitializeAsync()
         {
             ApplicationBase.ResetStateForTest();
-            if (string.IsNullOrEmpty(_confidentialClientSecret))
+            if (_labAuthCert is null)
             {
-                _confidentialClientSecret = _keyVault.GetSecretByName(TestConstants.MsalOBOKeyVaultSecretName).Value;
+                _labAuthCert = await _keyVaultMsidLab.GetCertificateWithPrivateMaterialAsync("LabAuth").ConfigureAwait(false);
             }
         }
 
@@ -61,7 +59,7 @@ public async Task OboAndSilent_ReturnsCorrectTokens_TestAsync(bool serializeCach
             var user1 = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false);
             var user2 = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud2).ConfigureAwait(false);
             var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false);
-            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false);
+            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false);
 
             var partitionedInMemoryTokenCache = new InMemoryPartitionedTokenCache();
             var nonPartitionedInMemoryTokenCache = new InMemoryTokenCache();
@@ -152,7 +150,7 @@ IConfidentialClientApplication CreateCCA()
                 var app = ConfidentialClientApplicationBuilder
                 .Create(appApi.AppId)
                 .WithAuthority(new Uri($"https://login.microsoftonline.com/{user1AuthResult.TenantId}"), true)
-                .WithClientSecret(_confidentialClientSecret)
+                .WithCertificate(_labAuthCert)
                 .WithLegacyCacheCompatibility(false)
                 .Build();
 
@@ -182,7 +180,7 @@ public async Task OboAndClientCredentials_WithRegional_ReturnsCorrectTokens_Test
             // Setup: Get lab user, create PCA and get user tokens
             var user = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false);
             var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false);
-            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false);
+            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false);
 
             // Use the correct public client ID from KeyVault for all tests
             var publicClientId = app.AppId;
@@ -305,7 +303,7 @@ public async Task WithCache_TestAsync()
         {
             var user = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false);
             var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false);
-            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false);
+            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false);
 
             var factory = new HttpSnifferClientFactory();
 
@@ -325,7 +323,7 @@ public async Task WithCache_TestAsync()
             var confidentialApp = ConfidentialClientApplicationBuilder
                 .Create(appApi.AppId)
                 .WithAuthority(new Uri("https://login.microsoftonline.com/" + authResult.TenantId), true)
-                .WithClientSecret(_confidentialClientSecret)
+                .WithCertificate(_labAuthCert)
                 .WithTestLogging()
                 .BuildConcrete();
 
@@ -378,7 +376,7 @@ public async Task WithCache_TestAsync()
             var confidentialApp2 = ConfidentialClientApplicationBuilder
                 .Create(appApi.AppId)
                 .WithAuthority(new Uri("https://login.microsoftonline.com/" + authResult.TenantId), true)
-                .WithClientSecret(_confidentialClientSecret)
+                .WithCertificate(_labAuthCert)
                 .WithTestLogging()
                 .WithHttpClientFactory(factory)
                 .BuildConcrete();
@@ -438,7 +436,7 @@ private async Task<IConfidentialClientApplication> RunOnBehalfOfTestAsync(
                 multiTenantAppId = app.AppId;
             }
 
-            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false);
+            var appApi = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false);
 
             var pca = PublicClientApplicationBuilder
                 .Create(multiTenantAppId)
@@ -475,7 +473,7 @@ private async Task<IConfidentialClientApplication> RunOnBehalfOfTestAsync(
                 .Create(appApi.AppId)
                 .WithAuthority(new Uri("https://login.microsoftonline.com/" + authResult.TenantId), true)
                 .WithTestLogging(out HttpSnifferClientFactory factory)
-                .WithClientSecret(_confidentialClientSecret)
+                .WithCertificate(_labAuthCert)
                 .Build();
             s_inMemoryTokenCache.Bind(cca.UserTokenCache);
 
@@ -522,20 +520,17 @@ void AssertExtraHttpHeadersAreSent(HttpSnifferClientFactory factory)
 
         private async Task<ConfidentialClientApplication> BuildCcaAsync(string tenantId, bool withRegion = false)
         {
-            var appConfig = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppS2S).ConfigureAwait(false);
-            var appApiConfig = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppWebApi).ConfigureAwait(false);
-            string secret = LabResponseHelper.FetchSecretString(appConfig.SecretName, LabResponseHelper.KeyVaultSecretsProviderMsal);
+            var appApiConfig = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppOBOService).ConfigureAwait(false);
 
             var builder = ConfidentialClientApplicationBuilder
-             .Create(withRegion ? appApiConfig.AppId : appConfig.AppId)
+             .Create(appApiConfig.AppId)
              .WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}"), true)
-             .WithClientSecret(withRegion ? _confidentialClientSecret : secret)
+             .WithCertificate(_labAuthCert, true)
              .WithLegacyCacheCompatibility(false);
 
             if (withRegion)
             {
-                builder
-                    .WithAzureRegion(TestConstants.Region);
+                builder.WithAzureRegion(TestConstants.Region);
             }
 
             return builder.BuildConcrete();