msi with slc prototype using a demo app (#5369)

* slc

* props

* version

---------

Co-authored-by: Gladwin Johnson <gljohns@microsoft.com>

Author: gladjohn

Directory.Packages.props

@@ -80,7 +80,6 @@
     <PackageVersion Include="System.ValueTuple" Version="4.5.0" />
     <PackageVersion Include="System.Windows.Forms" Version="4.0.0" />
     <PackageVersion Include="CommandLineParser" Version="2.8.0" />
-    <PackageVersion Include="System.Formats.Asn1" Version="9.0.0"/>
-
+    <PackageVersion Include="System.Formats.Asn1" Version="9.0.0" />
   </ItemGroup>
 </Project>

prototype/MsiWithSlc/MsiSlcPublicApis/MsiSlcPublicApis.sln

@@ -0,0 +1,25 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.14.36221.1 d17.14
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MsiSlcPublicApis", "MsiSlcPublicApis\MsiSlcPublicApis.csproj", "{8EF999FD-BFAA-4FA7-BDD7-2720712A6917}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{8EF999FD-BFAA-4FA7-BDD7-2720712A6917}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{8EF999FD-BFAA-4FA7-BDD7-2720712A6917}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{8EF999FD-BFAA-4FA7-BDD7-2720712A6917}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{8EF999FD-BFAA-4FA7-BDD7-2720712A6917}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {07C66F36-6EFF-4CF0-8479-92C14D60BEC9}
+	EndGlobalSection
+EndGlobal

prototype/MsiWithSlc/MsiSlcPublicApis/MsiSlcPublicApis/MsiSlcPublicApis.csproj

@@ -0,0 +1,15 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net8.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Identity.Client" />
+    <PackageReference Include="Microsoft.IdentityModel.Abstractions" />
+  </ItemGroup>
+
+</Project>

prototype/MsiWithSlc/MsiSlcPublicApis/MsiSlcPublicApis/Program.cs

@@ -0,0 +1,103 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.Identity.Client;
+using Microsoft.Identity.Client.AppConfig;
+using Microsoft.IdentityModel.Abstractions;
+using System;
+using System.Security.Cryptography.X509Certificates;
+using System.Runtime.InteropServices;
+using System.Threading.Tasks;
+
+internal class Program
+{
+    private static async Task Main()
+    {
+        // ─── 0. Environment banner ────────────────────────────────────────────────
+        Console.WriteLine(new string('═', 70));
+        
+        // ─── 1. Certificate events ────────────────────────────────────────────────
+        ManagedIdentityApplication.BindingCertificateUpdated += c =>
+        {
+            Console.WriteLine($"\n[{Now()}] Event Fired -  BindingCertificateUpdated:");
+            PrintCertificate(c);
+        };
+
+        // ─── 2. Managed-identity source & certs ───────────────────────────────────
+        var source = await ManagedIdentityApplication.GetManagedIdentitySourceAsync()
+                                                     .ConfigureAwait(false);
+        Console.WriteLine($"\n[{Now()}] Managed Identity Source: {source}");
+
+        var cert = ManagedIdentityApplication.GetManagedIdentityBindingCertificate();
+        PrintCertificate(cert, "Initial Managed-Identity Binding Certificate");
+
+        //sleep for 5 second so we can see different timestamps
+        Thread.Sleep(5000);
+        
+        cert = ManagedIdentityApplication.ForceUpdateInMemoryCertificate();
+        PrintCertificate(cert, "Forced NEW Managed-Identity Binding Certificate");
+
+        // ─── 3. Build MI app ──────────────────────────────────────────────────────
+        IIdentityLogger logger = new IdentityLogger();
+        IManagedIdentityApplication mi = ManagedIdentityApplicationBuilder
+                                         .Create(ManagedIdentityId.SystemAssigned)
+                                         .WithExperimentalFeatures()
+                                         .WithLogging(logger, true)
+                                         .Build();
+
+        // ─── 4. Token-acquisition loop ───────────────────────────────────────────
+        string scope = "https://vault.azure.net/";
+        while (true)
+        {
+            Console.WriteLine($"\n[{Now()}] Acquiring token for scope → {scope}");
+            try
+            {
+                var result = await mi.AcquireTokenForManagedIdentity(scope)
+                                     //.WithProofOfPossession()
+                                     .ExecuteAsync()
+                                     .ConfigureAwait(false);
+
+                Console.WriteLine($"[{Now()}] ✅  Success (expires {result.ExpiresOn:HH:mm:ss})");
+                Console.WriteLine($"Access-Token (first 100 chars): {result.AccessToken[..100]}…");
+            }
+            catch (MsalServiceException ex)
+            {
+                Console.ForegroundColor = ConsoleColor.Red;
+                Console.WriteLine($"[{Now()}] ❌  {ex.ErrorCode}: {ex.Message}");
+                Console.ResetColor();
+            }
+
+            Console.Write("\nEnter new scope or 'q' to quit: ");
+            var input = Console.ReadLine();
+            if (string.Equals(input, "q", StringComparison.OrdinalIgnoreCase))
+                break;
+            if (!string.IsNullOrWhiteSpace(input))
+                scope = input.Trim();
+        }
+    }
+
+    // ─── Helpers ────────────────────────────────────────────────────────────────
+
+    private static string Now() => DateTimeOffset.Now.ToString("yyyy-MM-dd HH:mm:ss");
+
+    private static void PrintCertificate(X509Certificate2 cert, string? title = null)
+    {
+        Console.WriteLine("\n" + (title ?? "Certificate details") + "\n" + new string('-', 60));
+        Console.WriteLine($"Subject     : {cert.Subject}");
+        Console.WriteLine($"Issuer      : {cert.Issuer}");
+        Console.WriteLine($"Serial #    : {cert.SerialNumber}");
+        Console.WriteLine($"Not Before  : {cert.NotBefore:yyyy-MM-dd HH:mm:ss}");
+        Console.WriteLine($"Not After   : {cert.NotAfter:yyyy-MM-dd HH:mm:ss}");
+        Console.WriteLine($"Thumbprint  : {cert.Thumbprint}");
+        Console.WriteLine(new string('-', 60));
+    }
+}
+
+/// <summary>Minimal ILogger that pipes everything to Console.</summary>
+class IdentityLogger : IIdentityLogger
+{
+    public EventLogLevel MinLogLevel => EventLogLevel.Verbose;
+    public bool IsEnabled(EventLogLevel level) => level <= MinLogLevel;
+
+    public void Log(LogEntry entry) => Console.WriteLine($"[{DateTimeOffset.Now:HH:mm:ss}] {entry.Message}");
+}

prototype/MsiWithSlc/readme.md

@@ -0,0 +1,33 @@
+# Managed Identity – SLC Prototype Demo
+
+This sample showcases **certificate rotation** and **token acquisition** against the **prototype SLC endpoint** using MSAL’s *experimental* Managed-Identity flow.
+
+---
+
+## ✨ What the demo does
+
+1. **Detects the Managed-Identity source** (should be `Credential` when the SLC endpoint is live).  
+2. **Creates an in-memory binding certificate (`CN=devicecert.mtlsauth.local`).  
+3. **Raises `BindingCertificateUpdated`** whenever MSAL generates a fresh cert (7-day lifetime in this prototype).  
+4. **Calls the SLC `/credential` endpoint** over mTLS and exchanges the credential for an **AAD access token** (default scope `https://vault.azure.net/`).  
+
+---
+
+## 🛠️ Prerequisites
+
+| Requirement        | Version / Notes                            |
+|--------------------|--------------------------------------------|
+| .NET SDK           | **8.0.100** or later                      |
+| MSAL .NET          | **4.72.3 preview** (included via [`Microsoft.Identity.Client`](https://www.nuget.org/packages/Microsoft.Identity.Client/4.72.3-slc-preview)) |
+| Access to SLC host | VM/VMSS image with the prototype **SLC agent** enabled |
+| Managed Identity   | System-assigned (or override in code)      |
+
+> **Local run tip**: launch from an Azure VM/VMSS that already has the SLC agent bits; the demo will fail on a dev box without the endpoint.
+
+---
+
+## 🚀 Running the sample
+
+```bash
+dotnet restore
+dotnet run --configuration Release