Skip to content

[POC] Expose secure HTTP client factory and propagate binding certificate in authentication result #5535

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

[POC] Expose secure HTTP client factory and propagate binding certificate in authentication result #5535

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c202439
Expose secure HTTP client factory
Oct 16, 2025
f65db48
Merge remote-tracking branch 'origin/main' into iepoly/expose-secure-…
Oct 22, 2025
3743902
Propagate binding certificate in authentication result
Oct 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions src/client/Microsoft.Identity.Client/AppConfig/IMsalMtlsHttpClientFactory.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,18 +7,18 @@
namespace Microsoft.Identity.Client
{
/// <summary>
/// Internal factory responsible for creating HttpClient instances configured for mutual TLS (MTLS).
/// This factory is specifically intended for use within the MSAL library for secure communication with Azure AD using MTLS.
/// A factory responsible for creating HttpClient instances configured for mutual TLS (MTLS).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't it an interface not an actual factory?

/// This factory is intended for secure communication with Azure AD using MTLS.
/// For more details on HttpClient instancing, see https://learn.microsoft.com/dotnet/api/system.net.http.httpclient?view=net-7.0#instancing.
/// </summary>
/// <remarks>
/// Implementations of this interface must be thread-safe.
/// It is important to reuse HttpClient instances to avoid socket exhaustion.
/// Do not create a new HttpClient for each call to <see cref="GetHttpClient(X509Certificate2)"/>.
/// If your application requires Integrated Windows Authentication, set <see cref="HttpClientHandler.UseDefaultCredentials"/> to true.
/// This interface is intended for internal use by MSAL only and is designed to support MTLS scenarios.
/// This interface is designed to support MTLS scenarios.
/// </remarks>
internal interface IMsalMtlsHttpClientFactory : IMsalHttpClientFactory
public interface IMsalMtlsHttpClientFactory : IMsalHttpClientFactory
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gladjohn - don't we need this to be made public for MSIv2 as well?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, we don't need to expose this for MSI v2. We will continue to use the existing factory IMsalHttpClientFactory to make calls into IMDS endpoints, this will ensure we use custom factory. But for the mTLS calls to ESTS, we will use the new IMsalMtlsHttpClientFactory. MSAL will be responsible for calls to ESTS.

{
/// <summary>
/// Returns an HttpClient configured with a certificate for mutual TLS authentication.
Expand Down
2 changes: 1 addition & 1 deletion src/client/Microsoft.Identity.Client/PlatformsCommon/Shared/AbstractPlatformProxy.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -226,7 +226,7 @@ public virtual IDeviceAuthManager CreateDeviceAuthManager()

public virtual IMsalHttpClientFactory CreateDefaultHttpClientFactory()
{
return new SimpleHttpClientFactory();
return new SecureHttpClientFactory();
}

/// <summary>
Expand Down
19 changes: 17 additions & 2 deletions ...sCommon/Shared/SimpleHttpClientFactory.cs → ...sCommon/Shared/SecureHttpClientFactory.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,14 @@
namespace Microsoft.Identity.Client.PlatformsCommon.Shared
{
/// <summary>
/// A simple implementation of the HttpClient factory that uses a managed HttpClientHandler
/// An implementation of the HttpClient factory that uses a managed HttpClientHandler.
/// This factory is intended to be used by MTLS scenarios or where server certificate validation is required.
/// </summary>
/// <remarks>
/// .NET should use the IHttpClientFactory, but MSAL cannot take a dependency on it.
/// .NET should use SocketHandler, but UseDefaultCredentials doesn't work with it
/// </remarks>
internal class SimpleHttpClientFactory : IMsalMtlsHttpClientFactory, IMsalSFHttpClientFactory
public class SecureHttpClientFactory : IMsalMtlsHttpClientFactory, IMsalSFHttpClientFactory
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did you make this public?

Copy link
Author

@cpp11nullptr cpp11nullptr Oct 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly to reuse the logic to create HTTP client with setting up a certificate by Identity.Web but it can be also beneficial for users of MSAL.NET who wants either secure HTTP client factory (with mTLS or server certificate validation).

{
//Please see (https://aka.ms/msal-httpclient-info) for important information regarding the HttpClient.
private static readonly ConcurrentDictionary<string, HttpClient> s_httpClientPool = new ConcurrentDictionary<string, HttpClient>();
Expand Down Expand Up @@ -61,11 +62,20 @@ private static HttpClient CreateMtlsHttpClient(X509Certificate2 bindingCertifica
#endif
}

/// <summary>
///
/// </summary>
/// <returns></returns>
public HttpClient GetHttpClient()
{
return s_httpClientPool.GetOrAdd("non_mtls", CreateHttpClient());
}

/// <summary>
///
/// </summary>
/// <param name="x509Certificate2"></param>
/// <returns></returns>
public HttpClient GetHttpClient(X509Certificate2 x509Certificate2)
{
if (x509Certificate2 == null)
Expand All @@ -88,6 +98,11 @@ private static void CheckAndManageCache()
}
}

/// <summary>
///
/// </summary>
/// <param name="validateServerCert"></param>
/// <returns></returns>
// This method is used for Service Fabric scenarios where a custom server certificate validation callback is required.
// It allows the caller to provide a custom HttpClientHandler with the callback.
// The server cert rotates so we need a new HttpClient for each call.
Expand Down
7 changes: 7 additions & 0 deletions src/client/Microsoft.Identity.Client/PublicApi/net462/PublicAPI.Unshipped.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Microsoft.Identity.Client.IMsalMtlsHttpClientFactory
Microsoft.Identity.Client.IMsalMtlsHttpClientFactory.GetHttpClient(System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate2) -> System.Net.Http.HttpClient
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory.GetHttpClient() -> System.Net.Http.HttpClient
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory.GetHttpClient(System.Func<System.Net.Http.HttpRequestMessage, System.Security.Cryptography.X509Certificates.X509Certificate2, System.Security.Cryptography.X509Certificates.X509Chain, System.Net.Security.SslPolicyErrors, bool> validateServerCert) -> System.Net.Http.HttpClient
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory.GetHttpClient(System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate2) -> System.Net.Http.HttpClient
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory.SecureHttpClientFactory() -> void
7 changes: 7 additions & 0 deletions src/client/Microsoft.Identity.Client/PublicApi/net472/PublicAPI.Unshipped.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Microsoft.Identity.Client.IMsalMtlsHttpClientFactory
Microsoft.Identity.Client.IMsalMtlsHttpClientFactory.GetHttpClient(System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate2) -> System.Net.Http.HttpClient
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory.GetHttpClient() -> System.Net.Http.HttpClient
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory.GetHttpClient(System.Func<System.Net.Http.HttpRequestMessage, System.Security.Cryptography.X509Certificates.X509Certificate2, System.Security.Cryptography.X509Certificates.X509Chain, System.Net.Security.SslPolicyErrors, bool> validateServerCert) -> System.Net.Http.HttpClient
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory.GetHttpClient(System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate2) -> System.Net.Http.HttpClient
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory.SecureHttpClientFactory() -> void
7 changes: 7 additions & 0 deletions src/client/Microsoft.Identity.Client/PublicApi/net8.0/PublicAPI.Unshipped.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Microsoft.Identity.Client.IMsalMtlsHttpClientFactory
Microsoft.Identity.Client.IMsalMtlsHttpClientFactory.GetHttpClient(System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate2) -> System.Net.Http.HttpClient
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory.GetHttpClient() -> System.Net.Http.HttpClient
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory.GetHttpClient(System.Func<System.Net.Http.HttpRequestMessage, System.Security.Cryptography.X509Certificates.X509Certificate2, System.Security.Cryptography.X509Certificates.X509Chain, System.Net.Security.SslPolicyErrors, bool> validateServerCert) -> System.Net.Http.HttpClient
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory.GetHttpClient(System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate2) -> System.Net.Http.HttpClient
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory.SecureHttpClientFactory() -> void
7 changes: 7 additions & 0 deletions src/client/Microsoft.Identity.Client/PublicApi/netstandard2.0/PublicAPI.Unshipped.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Microsoft.Identity.Client.IMsalMtlsHttpClientFactory
Microsoft.Identity.Client.IMsalMtlsHttpClientFactory.GetHttpClient(System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate2) -> System.Net.Http.HttpClient
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory.GetHttpClient() -> System.Net.Http.HttpClient
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory.GetHttpClient(System.Func<System.Net.Http.HttpRequestMessage, System.Security.Cryptography.X509Certificates.X509Certificate2, System.Security.Cryptography.X509Certificates.X509Chain, System.Net.Security.SslPolicyErrors, bool> validateServerCert) -> System.Net.Http.HttpClient
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory.GetHttpClient(System.Security.Cryptography.X509Certificates.X509Certificate2 x509Certificate2) -> System.Net.Http.HttpClient
Microsoft.Identity.Client.PlatformsCommon.Shared.SecureHttpClientFactory.SecureHttpClientFactory() -> void
Loading