ImdsV2: Non-mTLS POP Requests Fall Back to ImdsV1 #5531
Conversation
| public static AcquireTokenForManagedIdentityParameterBuilder WithMtlsProofOfPossession( | ||
| this AcquireTokenForManagedIdentityParameterBuilder builder) | ||
| { | ||
| void MtlsNotSupportedForManagedIdentity(string message) |
There was a problem hiding this comment.
This logic was previously in the wrong file
This is because we need Gladwin's big PR around AuthenticationOperation. mtls pop tokens aren't cached properly without it. |
@Robbie-Microsoft I have a PR out that adds the token type and also adds the cert to the auth result. That will unblock you. |
| } | ||
|
|
||
| #region Acceptance Tests | ||
| #region Bearer Token Tests |
There was a problem hiding this comment.
we should not delete these test cases. Is there a way to add a env_variable to enable MSI v2 on-demand and run these? so we are testing the bearer path as we make changes?
| request.BodyParameters.Add("grant_type", OAuth2GrantType.ClientCredentials); | ||
| request.BodyParameters.Add("scope", resource.TrimEnd('/') + "/.default"); | ||
| request.BodyParameters.Add("token_type", tokenType); | ||
| request.BodyParameters.Add("token_type", "mtls_pop"); |
There was a problem hiding this comment.
Suggest we keep both bearer and mtls_pop for the time being, and we enable MSI v2 bearer based on a feature flag.
| string userAssignedId = null, | ||
| string certificateRequestCertificate = TestConstants.ValidRawCertificate, | ||
| bool mTLSPop = false) | ||
| string certificateRequestCertificate = TestConstants.ValidRawCertificate) |
There was a problem hiding this comment.
This valid RAW certificate is expired. Can we extend this to 20 years or something?
3 participants
All existing unit tests pass.
Still requires manual testing.
Currently having a problem in new unit test, where after a bearer token is requested, requesting an mTLS PoP token will return the bearer token from the cache.