Add WithMtlsBearerToken() API and E2E test: Get attested ****** via IMDSv2 mTLS flow

[Copilot]

Adds a new public API WithMtlsBearerToken() that uses the full IMDSv2 attested mTLS flow (Credential Guard–issued certificate, mTLS connection to ESTS) but requests token_type=bearer, returning a standard bearer token with no binding certificate. Also adds the corresponding E2E test.

Changes proposed in this request

• Added WithMtlsBearerToken() extension method to ManagedIdentityPopExtensions.cs (Windows-only, mirrors WithMtlsProofOfPossession() but sends token_type=bearer to ESTS instead of token_type=mtls_pop)
• Plumbed IsMtlsBearerRequested flag through AcquireTokenCommonParameters, AcquireTokenForManagedIdentityParameters, AuthenticationRequestParameters, AcquireTokenForManagedIdentityParameterBuilder, ManagedIdentityAuthRequest, and AbstractManagedIdentity
• Updated routing in ManagedIdentityClient to route IsMtlsBearerRequested to IMDSv2 (same as IsMtlsPopRequested)
• Extended the KeyGuard validation in ImdsV2ManagedIdentitySource.CreateRequestAsync to cover both PoP and ****** under a unified credential_guard_not_available error code
• Added a separate cache partition for mTLS-bearer tokens (mtls_bearer key component) to keep them distinct from PoP tokens and plain IMDSv1 bearer tokens
• Updated PublicAPI.Unshipped.txt for all target frameworks
• Replaced the original AcquireToken_OnImdsV2_WithAttestation_NoMtlsPoP_ReturnsBearer E2E test with AcquireToken_OnImdsV2_WithMtlsBearerToken_ReturnsBearer, which calls .WithMtlsBearerToken().WithAttestationSupport() and asserts TokenType == "Bearer", BindingCertificate == null, absence of the cnf claim in the JWT payload, and TokenSource == IdentityProvider
• Updated unit test error code assertion to credential_guard_not_available

var result = await mi.AcquireTokenForManagedIdentity(GraphResource)
    .WithMtlsBearerToken()      // uses IMDSv2 attested flow, token_type=bearer
    .WithAttestationSupport()   // adds Credential Guard attestation JWT
    .ExecuteAsync()
    .ConfigureAwait(false);

Assert.AreEqual("Bearer", result.TokenType);
Assert.IsNull(result.BindingCertificate);
var jwt = new JwtSecurityToken(result.AccessToken);
Assert.IsFalse(jwt.Payload.ContainsKey("cnf"));
Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);

Testing
Updated E2E test uses .WithMtlsBearerToken() and runs on the MSALMSIV2 pool (Credential Guard / VBS enabled). Gracefully marks inconclusive if Credential Guard is unavailable. Unit test for the KeyGuard-not-available error path updated to match the new unified error code.

Performance impact
None.

Documentation

• All relevant documentation is updated.

[Copilot]

Pull request overview

Adds an end-to-end regression test in the Managed Identity IMDSv2 E2E suite to validate that when .WithMtlsProofOfPossession() is omitted (even if .WithAttestationSupport() is present), MSAL returns a standard Bearer token (no binding certificate) on an IMDSv2-capable host.

Changes:

• Added a new [DataRow]-driven E2E test covering SAMI and UAMI (clientId) scenarios for the “no mTLS PoP requested” path.
• Asserts Bearer token shape (TokenType == "Bearer", BindingCertificate == null) and that the token was acquired from the identity provider.

[gladjohn]

We will need a new Bearer API to support this e2e

[gladjohn]

@copilot This adds an E2E test covering the IMDSv1 path on an IMDSv2-capable host: when .WithMtlsProofOfPossession() is not called, MSAL routes the request through IMDSv1 regardless of .WithAttestationSupport(), returning a bearer token with no binding certificate.

But, to get a Bearer token .WithAttestationSupport(), we may need a new let's say name not final - WithMtlsBearer() - think of a good name. If we added this, then we should use the Attested Flow in IMDSv2-capable host and get a bearer token. We just need to set the token type to bearer when we call ESTS finally with the cert over mTLS. Can you add the new api and update this test to return a bearer token using attestation?

[Copilot]

Added WithMtlsBearerToken() in commit 9c06b52.

The new API follows the same IMDSv2 attested flow as WithMtlsProofOfPossession() — it obtains a Credential Guard–issued certificate, connects to ESTS over mTLS — but sends token_type=bearer instead of token_type=mtls_pop, returning a plain bearer token with no binding certificate.

Key changes:

• WithMtlsBearerToken() extension added to ManagedIdentityPopExtensions.cs (Windows-only, same as the PoP variant)
• IsMtlsBearerRequested flag plumbed from the builder through parameters, routing, and ImdsV2ManagedIdentitySource.CreateRequestAsync
• Routing in ManagedIdentityClient treats IsMtlsBearerRequested the same as IsMtlsPopRequested for IMDSv2 source selection
• The KeyGuard check in ImdsV2ManagedIdentitySource now covers both PoP and ****** (unified error code credential_guard_not_available)
• mTLS-bearer tokens get their own cache partition (mtls_bearer key component) to keep them separate from both PoP tokens and plain IMDSv1 bearer tokens
• E2E test updated to call .WithMtlsBearerToken().WithAttestationSupport() and asserts TokenType == "Bearer", BindingCertificate == null, and absence of the cnf claim in the JWT payload

[gladjohn]

@copilot resolve conflicts

[Copilot]

@copilot resolve conflicts

Conflicts resolved in commit d5a3f7c (merge commit). The main branch had introduced MtlsPopMinStrength/PoPOptions and refactored ImdsV2ManagedIdentitySource to delegate the token leg via AcquireMtlsBindingAsync(). Key resolutions:

• All six PublicAPI.Unshipped.txt files now include both our WithMtlsBearerToken entry and main's new PoPOptions/MinStrengthNotMet/WithMtlsProofOfPossession(PoPOptions) entries.
• Both IsMtlsBearerRequested and MtlsPopMinStrength are kept in all parameter/request types.
• AcquireMtlsBindingForDelegationAsync now sets _isMtlsBearerRequested from parameters (instead of hardcoding _isMtlsPopRequested = true), and ManagedIdentityAuthRequest routes both IsMtlsPopRequested and IsMtlsBearerRequested into the delegation path with appropriate auth scheme handling for each.