Update MSAL to send "fmi-bearer" client assertion type based on the client id (#5160)

trwalke · trwalke · bgavrilMS · web-flow · commit cac074c50694 · 2025-02-28T19:04:57.000Z
* Update MSAL to send "fmi-bearer" client assertion type based on the provided client id

* Removing extra logic

* Fix for client assertion.

* Add test

---------

Co-authored-by: trwalke &lt;trwalke@microsoft.com&gt;
Co-authored-by: Bogdan Gavril &lt;bogavril@microsoft.com&gt;
diff --git a/src/client/Microsoft.Identity.Client/Internal/ClientCredential/CertificateAndClaimsClientCredential.cs b/src/client/Microsoft.Identity.Client/Internal/ClientCredential/CertificateAndClaimsClientCredential.cs
@@ -65,7 +65,9 @@ public Task AddConfidentialClientParametersAsync(
 
                 string assertion = jwtToken.Sign(Certificate, requestParameters.SendX5C, useSha2);
 
-                oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertionType, OAuth2AssertionType.JwtBearer);
+                oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertionType,
+                                                                string.Equals(clientId, Constants.FmiUrnClientId) ? 
+                                                                OAuth2AssertionType.FmiBearer : OAuth2AssertionType.JwtBearer);
                 oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertion, assertion);
             }
             else
diff --git a/src/client/Microsoft.Identity.Client/Internal/ClientCredential/SignedAssertionDelegateClientCredential.cs b/src/client/Microsoft.Identity.Client/Internal/ClientCredential/SignedAssertionDelegateClientCredential.cs
@@ -38,12 +38,14 @@ public async Task AddConfidentialClientParametersAsync(
             string tokenEndpoint,
             CancellationToken cancellationToken)
         {
+            string assertionType = requestParameters.AppConfig.ClientId == Constants.FmiUrnClientId ?
+                                   OAuth2AssertionType.FmiBearer :
+                                   OAuth2AssertionType.JwtBearer;
+            string signedAssertion;
             if (_signedAssertionDelegate != null)
             {
                 // If no "AssertionRequestOptions" delegate is supplied
-                string signedAssertion = await _signedAssertionDelegate(cancellationToken).ConfigureAwait(false);
-                oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertionType, OAuth2AssertionType.JwtBearer);
-                oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertion, signedAssertion);
+                signedAssertion = await _signedAssertionDelegate(cancellationToken).ConfigureAwait(false);
             }
             else
             {
@@ -66,13 +68,14 @@ public async Task AddConfidentialClientParametersAsync(
 
                 //Set claims
                 assertionOptions.Claims = requestParameters.Claims;
-            
+
                 // Delegate that uses AssertionRequestOptions
-                string signedAssertion = await _signedAssertionWithInfoDelegate(assertionOptions).ConfigureAwait(false);
+                signedAssertion = await _signedAssertionWithInfoDelegate(assertionOptions).ConfigureAwait(false);
 
-                oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertionType, OAuth2AssertionType.JwtBearer);
-                oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertion, signedAssertion);
             }
+
+            oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertionType, assertionType);
+            oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertion, signedAssertion);
         }
     }
 }
diff --git a/src/client/Microsoft.Identity.Client/Internal/Constants.cs b/src/client/Microsoft.Identity.Client/Internal/Constants.cs
@@ -53,6 +53,8 @@ internal static class Constants
         public const int CallerSdkIdMaxLength = 10;
         public const int CallerSdkVersionMaxLength = 20;
 
+        public const string FmiUrnClientId = "urn:microsoft:identity:fmi";
+
         public static string FormatEnterpriseRegistrationOnPremiseUri(string domain)
         {
             return $"https://enterpriseregistration.{domain}/enrollmentserver/contract";
diff --git a/src/client/Microsoft.Identity.Client/OAuth2/OAuthConstants.cs b/src/client/Microsoft.Identity.Client/OAuth2/OAuthConstants.cs
@@ -66,6 +66,7 @@ internal static class OAuth2ResponseType
     internal static class OAuth2AssertionType
     {
         public const string JwtBearer = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+        public const string FmiBearer = "urn:ietf:params:oauth:client-assertion-type:fmi-bearer";
     }
 
     internal static class OAuth2RequestedTokenUse
diff --git a/tests/Microsoft.Identity.Test.Unit/PublicApiTests/FmiTests.cs b/tests/Microsoft.Identity.Test.Unit/PublicApiTests/FmiTests.cs
@@ -58,5 +58,88 @@ public async Task FmiEnsureWithFmiPathFunctions()
                 Assert.AreEqual(fmiClientId, app.AppTokenCacheInternal.Accessor.GetAllAccessTokens().First().ClientId);
             }
         }
+
+        [TestMethod]
+        [DataRow("urn:microsoft:identity:fmi", "Cert")]
+        [DataRow("urn:microsoft:identity:fmi", "SignedAssertionDelegate")]
+        [DataRow(TestConstants.ClientId, "Cert")]
+        [DataRow(TestConstants.ClientId, "SignedAssertionDelegate")]
+        [DataRow("urn:microsoft:identity:fmi", "SignedAssertionDelegate2")]
+        [DataRow(TestConstants.ClientId, "SignedAssertionDelegate2")]
+        public async Task FmiEnsureWithFmiPathUsesCorrectClientAssertion(string clientId, string clientAssertionType)
+        {
+            using (var httpManager = new MockHttpManager())
+            {
+                var jwtClientAssertionType = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+                var fmiClientAssertionType = "urn:ietf:params:oauth:client-assertion-type:fmi-bearer";
+
+                var certificate = CertHelper.GetOrCreateTestCert();
+                var builder = ConfidentialClientApplicationBuilder.Create(clientId)
+                                              .WithAuthority(new Uri(ClientApplicationBase.DefaultAuthority), true)
+                                              .WithRedirectUri(TestConstants.RedirectUri);
+
+                switch (clientAssertionType)
+                {
+                    case "Cert":
+                        builder.WithCertificate(certificate);
+                        break;
+                    case "SignedAssertionDelegate":
+                        builder.WithClientAssertion(() => { return TestConstants.DefaultClientAssertion; });
+                        break;
+                    case "SignedAssertionDelegate2":
+                        Func<AssertionRequestOptions, Task<string>> func = (AssertionRequestOptions options) =>
+                        {
+                            return Task.FromResult(TestConstants.DefaultClientAssertion);
+                        };
+                        builder.WithClientAssertion(func);
+                        break;
+                    default:
+                        throw new NotImplementedException();
+                }
+
+                var app = builder.WithHttpManager(httpManager)
+                .WithExperimentalFeatures()
+                .BuildConcrete();
+
+                var appCacheAccess = app.AppTokenCache.RecordAccess();
+
+                httpManager.AddInstanceDiscoveryMockHandler();
+
+                if (string.Equals(clientId, TestConstants.ClientId))
+                {
+                    httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage(
+                                expectedPostData: new Dictionary<string, string>()
+                                { { OAuth2Parameter.ClientAssertionType, jwtClientAssertionType } });
+                }
+                else
+                {
+                    httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage(
+                                expectedPostData: new Dictionary<string, string>()
+                                { { OAuth2Parameter.ClientAssertionType, fmiClientAssertionType } });
+                }
+
+                //Ensure that the FMI path is set correctly and token is retrieved
+                var result = await app.AcquireTokenForClient(TestConstants.s_scope.ToArray())
+                                        .WithFmiPath("fmiPath")
+                                        .ExecuteAsync(CancellationToken.None)
+                                        .ConfigureAwait(false);
+
+                Assert.IsNotNull(result);
+                Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);
+                Assert.AreEqual("header.payload.signature", result.AccessToken);
+                Assert.AreEqual(clientId, app.AppTokenCacheInternal.Accessor.GetAllAccessTokens().First().ClientId);
+
+                //Assert token can be acquired from cache
+                result = await app.AcquireTokenForClient(TestConstants.s_scope.ToArray())
+                                        .WithFmiPath("fmiPath")
+                                        .ExecuteAsync(CancellationToken.None)
+                                        .ConfigureAwait(false);
+
+                Assert.IsNotNull(result);
+                Assert.AreEqual(TokenSource.Cache, result.AuthenticationResultMetadata.TokenSource);
+                Assert.AreEqual("header.payload.signature", result.AccessToken);
+                Assert.AreEqual(clientId, app.AppTokenCacheInternal.Accessor.GetAllAccessTokens().First().ClientId);
+            }
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,9 @@ public Task AddConfidentialClientParametersAsync(`
`65`	`65`
`66`	`66`	`string assertion = jwtToken.Sign(Certificate, requestParameters.SendX5C, useSha2);`
`67`	`67`
`68`		`- oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertionType, OAuth2AssertionType.JwtBearer);`
	`68`	`+ oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertionType,`
	`69`	`+ string.Equals(clientId, Constants.FmiUrnClientId) ?`
	`70`	`+ OAuth2AssertionType.FmiBearer : OAuth2AssertionType.JwtBearer);`
`69`	`71`	`oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertion, assertion);`
`70`	`72`	`}`
`71`	`73`	`else`
Original file line number	Diff line number	Diff line change
`@@ -38,12 +38,14 @@ public async Task AddConfidentialClientParametersAsync(`
`38`	`38`	`string tokenEndpoint,`
`39`	`39`	`CancellationToken cancellationToken)`
`40`	`40`	`{`
	`41`	`+ string assertionType = requestParameters.AppConfig.ClientId == Constants.FmiUrnClientId ?`
	`42`	`+ OAuth2AssertionType.FmiBearer :`
	`43`	`+ OAuth2AssertionType.JwtBearer;`
	`44`	`+ string signedAssertion;`
`41`	`45`	`if (_signedAssertionDelegate != null)`
`42`	`46`	`{`
`43`	`47`	`// If no "AssertionRequestOptions" delegate is supplied`
`44`		`- string signedAssertion = await _signedAssertionDelegate(cancellationToken).ConfigureAwait(false);`
`45`		`- oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertionType, OAuth2AssertionType.JwtBearer);`
`46`		`- oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertion, signedAssertion);`
	`48`	`+ signedAssertion = await _signedAssertionDelegate(cancellationToken).ConfigureAwait(false);`
`47`	`49`	`}`
`48`	`50`	`else`
`49`	`51`	`{`
`@@ -66,13 +68,14 @@ public async Task AddConfidentialClientParametersAsync(`
`66`	`68`
`67`	`69`	`//Set claims`
`68`	`70`	`assertionOptions.Claims = requestParameters.Claims;`
`69`		`-`
	`71`	`+`
`70`	`72`	`// Delegate that uses AssertionRequestOptions`
`71`		`- string signedAssertion = await _signedAssertionWithInfoDelegate(assertionOptions).ConfigureAwait(false);`
	`73`	`+ signedAssertion = await _signedAssertionWithInfoDelegate(assertionOptions).ConfigureAwait(false);`
`72`	`74`
`73`		`- oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertionType, OAuth2AssertionType.JwtBearer);`
`74`		`- oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertion, signedAssertion);`
`75`	`75`	`}`
	`76`	`+`
	`77`	`+ oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertionType, assertionType);`
	`78`	`+ oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertion, signedAssertion);`
`76`	`79`	`}`
`77`	`80`	`}`
`78`	`81`	`}`
Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,8 @@ internal static class Constants`
`53`	`53`	`public const int CallerSdkIdMaxLength = 10;`
`54`	`54`	`public const int CallerSdkVersionMaxLength = 20;`
`55`	`55`
	`56`	`+ public const string FmiUrnClientId = "urn:microsoft:identity:fmi";`
	`57`	`+`
`56`	`58`	`public static string FormatEnterpriseRegistrationOnPremiseUri(string domain)`
`57`	`59`	`{`
`58`	`60`	`return $"https://enterpriseregistration.{domain}/enrollmentserver/contract";`
Original file line number	Diff line number	Diff line change
`@@ -66,6 +66,7 @@ internal static class OAuth2ResponseType`
`66`	`66`	`internal static class OAuth2AssertionType`
`67`	`67`	`{`
`68`	`68`	`public const string JwtBearer = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";`
	`69`	`+ public const string FmiBearer = "urn:ietf:params:oauth:client-assertion-type:fmi-bearer";`
`69`	`70`	`}`
`70`	`71`
`71`	`72`	`internal static class OAuth2RequestedTokenUse`