Handle client certificate rotation for token binding (#53916)

Author: christothes

sdk/core/Azure.Core.TestFramework/src/Azure.Core.TestFramework.csproj

@@ -4,7 +4,9 @@
     <IncludeOperationsSharedSource>true</IncludeOperationsSharedSource>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Azure.Core" />
+    <!-- https://github.com/Azure/azure-sdk-for-net/issues/53975 -->
+    <!-- <PackageReference Include="Azure.Core" /> -->
+    <ProjectReference Include="..\..\Azure.Core\src\Azure.Core.csproj" />
     <PackageReference Include="Azure.Identity" />
     <PackageReference Include="Newtonsoft.Json" />
     <PackageReference Include="NUnit" />

sdk/core/Azure.Core.TestFramework/src/MockTransport.cs

@@ -21,6 +21,8 @@ public class MockTransport : HttpPipelineTransport
 
         public bool? ExpectSyncPipeline { get; set; }
 
+        public List<HttpPipelineTransportOptions> TransportUpdates { get; } = [];
+
         public MockTransport()
         {
             RequestGate = new AsyncGate<MockRequest, MockResponse>();
@@ -38,7 +40,7 @@ public MockTransport(params MockResponse[] responses)
             };
         }
 
-        public MockTransport(Func<MockRequest, MockResponse> responseFactory): this(req => responseFactory((MockRequest)req.Request))
+        public MockTransport(Func<MockRequest, MockResponse> responseFactory) : this(req => responseFactory((MockRequest)req.Request))
         {
         }
 
@@ -72,6 +74,11 @@ public override async ValueTask ProcessAsync(HttpMessage message)
             await ProcessCore(message);
         }
 
+        public override void Update(HttpPipelineTransportOptions options)
+        {
+            TransportUpdates.Add(options);
+        }
+
         private async Task ProcessCore(HttpMessage message)
         {
             if (!(message.Request is MockRequest request))

sdk/core/Azure.Core/api/Azure.Core.net462.cs

@@ -306,6 +306,8 @@ public partial struct AccessToken
         public AccessToken(string accessToken, System.DateTimeOffset expiresOn) { throw null; }
         public AccessToken(string accessToken, System.DateTimeOffset expiresOn, System.DateTimeOffset? refreshOn) { throw null; }
         public AccessToken(string accessToken, System.DateTimeOffset expiresOn, System.DateTimeOffset? refreshOn, string tokenType) { throw null; }
+        public AccessToken(string accessToken, System.DateTimeOffset expiresOn, System.DateTimeOffset? refreshOn, string tokenType, System.Security.Cryptography.X509Certificates.X509Certificate2 bindingCertificate) { throw null; }
+        public System.Security.Cryptography.X509Certificates.X509Certificate2? BindingCertificate { get { throw null; } }
         public System.DateTimeOffset ExpiresOn { get { throw null; } }
         public System.DateTimeOffset? RefreshOn { get { throw null; } }
         public string Token { get { throw null; } }
@@ -1042,12 +1044,15 @@ public partial class HttpClientTransport : Azure.Core.Pipeline.HttpPipelineTrans
     {
         public static readonly Azure.Core.Pipeline.HttpClientTransport Shared;
         public HttpClientTransport() { }
+        public HttpClientTransport(System.Func<Azure.Core.Pipeline.HttpPipelineTransportOptions, System.Net.Http.HttpClient> clientFactory) { }
+        public HttpClientTransport(System.Func<Azure.Core.Pipeline.HttpPipelineTransportOptions, System.Net.Http.HttpMessageHandler> handlerFactory) { }
         public HttpClientTransport(System.Net.Http.HttpClient client) { }
         public HttpClientTransport(System.Net.Http.HttpMessageHandler messageHandler) { }
         public sealed override Azure.Core.Request CreateRequest() { throw null; }
         public void Dispose() { }
         public override void Process(Azure.Core.HttpMessage message) { }
         public override System.Threading.Tasks.ValueTask ProcessAsync(Azure.Core.HttpMessage message) { throw null; }
+        public override void Update(Azure.Core.Pipeline.HttpPipelineTransportOptions options) { }
     }
     public partial class HttpPipeline
     {
@@ -1103,6 +1108,7 @@ protected HttpPipelineTransport() { }
         public abstract Azure.Core.Request CreateRequest();
         public abstract void Process(Azure.Core.HttpMessage message);
         public abstract System.Threading.Tasks.ValueTask ProcessAsync(Azure.Core.HttpMessage message);
+        public virtual void Update(Azure.Core.Pipeline.HttpPipelineTransportOptions options) { }
     }
     public partial class HttpPipelineTransportOptions
     {

sdk/core/Azure.Core/api/Azure.Core.net472.cs

@@ -306,6 +306,8 @@ public partial struct AccessToken
         public AccessToken(string accessToken, System.DateTimeOffset expiresOn) { throw null; }
         public AccessToken(string accessToken, System.DateTimeOffset expiresOn, System.DateTimeOffset? refreshOn) { throw null; }
         public AccessToken(string accessToken, System.DateTimeOffset expiresOn, System.DateTimeOffset? refreshOn, string tokenType) { throw null; }
+        public AccessToken(string accessToken, System.DateTimeOffset expiresOn, System.DateTimeOffset? refreshOn, string tokenType, System.Security.Cryptography.X509Certificates.X509Certificate2 bindingCertificate) { throw null; }
+        public System.Security.Cryptography.X509Certificates.X509Certificate2? BindingCertificate { get { throw null; } }
         public System.DateTimeOffset ExpiresOn { get { throw null; } }
         public System.DateTimeOffset? RefreshOn { get { throw null; } }
         public string Token { get { throw null; } }
@@ -1042,12 +1044,15 @@ public partial class HttpClientTransport : Azure.Core.Pipeline.HttpPipelineTrans
     {
         public static readonly Azure.Core.Pipeline.HttpClientTransport Shared;
         public HttpClientTransport() { }
+        public HttpClientTransport(System.Func<Azure.Core.Pipeline.HttpPipelineTransportOptions, System.Net.Http.HttpClient> clientFactory) { }
+        public HttpClientTransport(System.Func<Azure.Core.Pipeline.HttpPipelineTransportOptions, System.Net.Http.HttpMessageHandler> handlerFactory) { }
         public HttpClientTransport(System.Net.Http.HttpClient client) { }
         public HttpClientTransport(System.Net.Http.HttpMessageHandler messageHandler) { }
         public sealed override Azure.Core.Request CreateRequest() { throw null; }
         public void Dispose() { }
         public override void Process(Azure.Core.HttpMessage message) { }
         public override System.Threading.Tasks.ValueTask ProcessAsync(Azure.Core.HttpMessage message) { throw null; }
+        public override void Update(Azure.Core.Pipeline.HttpPipelineTransportOptions options) { }
     }
     public partial class HttpPipeline
     {
@@ -1103,6 +1108,7 @@ protected HttpPipelineTransport() { }
         public abstract Azure.Core.Request CreateRequest();
         public abstract void Process(Azure.Core.HttpMessage message);
         public abstract System.Threading.Tasks.ValueTask ProcessAsync(Azure.Core.HttpMessage message);
+        public virtual void Update(Azure.Core.Pipeline.HttpPipelineTransportOptions options) { }
     }
     public partial class HttpPipelineTransportOptions
     {

sdk/core/Azure.Core/api/Azure.Core.net8.0.cs

@@ -315,6 +315,8 @@ public partial struct AccessToken
         public AccessToken(string accessToken, System.DateTimeOffset expiresOn) { throw null; }
         public AccessToken(string accessToken, System.DateTimeOffset expiresOn, System.DateTimeOffset? refreshOn) { throw null; }
         public AccessToken(string accessToken, System.DateTimeOffset expiresOn, System.DateTimeOffset? refreshOn, string tokenType) { throw null; }
+        public AccessToken(string accessToken, System.DateTimeOffset expiresOn, System.DateTimeOffset? refreshOn, string tokenType, System.Security.Cryptography.X509Certificates.X509Certificate2 bindingCertificate) { throw null; }
+        public System.Security.Cryptography.X509Certificates.X509Certificate2? BindingCertificate { get { throw null; } }
         public System.DateTimeOffset ExpiresOn { get { throw null; } }
         public System.DateTimeOffset? RefreshOn { get { throw null; } }
         public string Token { get { throw null; } }
@@ -1055,12 +1057,15 @@ public partial class HttpClientTransport : Azure.Core.Pipeline.HttpPipelineTrans
     {
         public static readonly Azure.Core.Pipeline.HttpClientTransport Shared;
         public HttpClientTransport() { }
+        public HttpClientTransport(System.Func<Azure.Core.Pipeline.HttpPipelineTransportOptions, System.Net.Http.HttpClient> clientFactory) { }
+        public HttpClientTransport(System.Func<Azure.Core.Pipeline.HttpPipelineTransportOptions, System.Net.Http.HttpMessageHandler> handlerFactory) { }
         public HttpClientTransport(System.Net.Http.HttpClient client) { }
         public HttpClientTransport(System.Net.Http.HttpMessageHandler messageHandler) { }
         public sealed override Azure.Core.Request CreateRequest() { throw null; }
         public void Dispose() { }
         public override void Process(Azure.Core.HttpMessage message) { }
         public override System.Threading.Tasks.ValueTask ProcessAsync(Azure.Core.HttpMessage message) { throw null; }
+        public override void Update(Azure.Core.Pipeline.HttpPipelineTransportOptions options) { }
     }
     public partial class HttpPipeline
     {
@@ -1117,6 +1122,7 @@ protected HttpPipelineTransport() { }
         public abstract Azure.Core.Request CreateRequest();
         public abstract void Process(Azure.Core.HttpMessage message);
         public abstract System.Threading.Tasks.ValueTask ProcessAsync(Azure.Core.HttpMessage message);
+        public virtual void Update(Azure.Core.Pipeline.HttpPipelineTransportOptions options) { }
     }
     public partial class HttpPipelineTransportOptions
     {

sdk/core/Azure.Core/api/Azure.Core.netstandard2.0.cs

@@ -306,6 +306,8 @@ public partial struct AccessToken
         public AccessToken(string accessToken, System.DateTimeOffset expiresOn) { throw null; }
         public AccessToken(string accessToken, System.DateTimeOffset expiresOn, System.DateTimeOffset? refreshOn) { throw null; }
         public AccessToken(string accessToken, System.DateTimeOffset expiresOn, System.DateTimeOffset? refreshOn, string tokenType) { throw null; }
+        public AccessToken(string accessToken, System.DateTimeOffset expiresOn, System.DateTimeOffset? refreshOn, string tokenType, System.Security.Cryptography.X509Certificates.X509Certificate2 bindingCertificate) { throw null; }
+        public System.Security.Cryptography.X509Certificates.X509Certificate2? BindingCertificate { get { throw null; } }
         public System.DateTimeOffset ExpiresOn { get { throw null; } }
         public System.DateTimeOffset? RefreshOn { get { throw null; } }
         public string Token { get { throw null; } }
@@ -1042,12 +1044,15 @@ public partial class HttpClientTransport : Azure.Core.Pipeline.HttpPipelineTrans
     {
         public static readonly Azure.Core.Pipeline.HttpClientTransport Shared;
         public HttpClientTransport() { }
+        public HttpClientTransport(System.Func<Azure.Core.Pipeline.HttpPipelineTransportOptions, System.Net.Http.HttpClient> clientFactory) { }
+        public HttpClientTransport(System.Func<Azure.Core.Pipeline.HttpPipelineTransportOptions, System.Net.Http.HttpMessageHandler> handlerFactory) { }
         public HttpClientTransport(System.Net.Http.HttpClient client) { }
         public HttpClientTransport(System.Net.Http.HttpMessageHandler messageHandler) { }
         public sealed override Azure.Core.Request CreateRequest() { throw null; }
         public void Dispose() { }
         public override void Process(Azure.Core.HttpMessage message) { }
         public override System.Threading.Tasks.ValueTask ProcessAsync(Azure.Core.HttpMessage message) { throw null; }
+        public override void Update(Azure.Core.Pipeline.HttpPipelineTransportOptions options) { }
     }
     public partial class HttpPipeline
     {
@@ -1103,6 +1108,7 @@ protected HttpPipelineTransport() { }
         public abstract Azure.Core.Request CreateRequest();
         public abstract void Process(Azure.Core.HttpMessage message);
         public abstract System.Threading.Tasks.ValueTask ProcessAsync(Azure.Core.HttpMessage message);
+        public virtual void Update(Azure.Core.Pipeline.HttpPipelineTransportOptions options) { }
     }
     public partial class HttpPipelineTransportOptions
     {

sdk/core/Azure.Core/src/AccessToken.cs

@@ -3,6 +3,7 @@
 
 using System;
 using System.ClientModel.Primitives;
+using System.Security.Cryptography.X509Certificates;
 
 namespace Azure.Core
 {
@@ -52,6 +53,23 @@ public AccessToken(string accessToken, DateTimeOffset expiresOn, DateTimeOffset?
             TokenType = tokenType;
         }
 
+        /// <summary>
+        /// Creates a new instance of <see cref="AccessToken"/> using the provided <paramref name="accessToken"/> and <paramref name="expiresOn"/>.
+        /// </summary>
+        /// <param name="accessToken">The access token value.</param>
+        /// <param name="expiresOn">The access token expiry date.</param>
+        /// <param name="refreshOn">Specifies the time when the cached token should be proactively refreshed.</param>
+        /// <param name="tokenType">The access token type.</param>
+        /// <param name="bindingCertificate">The binding certificate for the access token.</param>
+        public AccessToken(string accessToken, DateTimeOffset expiresOn, DateTimeOffset? refreshOn, string tokenType, X509Certificate2 bindingCertificate)
+        {
+            Token = accessToken;
+            ExpiresOn = expiresOn;
+            RefreshOn = refreshOn;
+            TokenType = tokenType;
+            BindingCertificate = bindingCertificate;
+        }
+
         /// <summary>
         /// Get the access token value.
         /// </summary>
@@ -72,6 +90,13 @@ public AccessToken(string accessToken, DateTimeOffset expiresOn, DateTimeOffset?
         /// </summary>
         public string TokenType { get; }
 
+        /// <summary>
+        /// Gets or sets the binding certificate for the access token.
+        /// This is used when authenticating via Proof of Possession (PoP).
+        /// </summary>
+        /// <seealso href="https://learn.microsoft.com/entra/msal/dotnet/advanced/proof-of-possession-tokens"/>
+        public X509Certificate2? BindingCertificate { get; }
+
         /// <inheritdoc />
         public override bool Equals(object? obj)
         {

sdk/core/Azure.Core/src/Diagnostics/AzureCoreEventSource.cs

@@ -36,6 +36,7 @@ internal sealed class AzureCoreEventSource : AzureEventSource
         private const int RequestRedirectCountExceededEvent = 22;
         private const int PipelineTransportOptionsNotAppliedEvent = 23;
         private const int FailedToDecodeCaeChallengeClaimsEvent = 24;
+        private const int FailedToUpdateTransportEvent = 25;
 
         private AzureCoreEventSource() : base(EventSourceName) { }
 
@@ -333,5 +334,14 @@ public void FailedToDecodeCaeChallengeClaims(string? encodedClaims, string excep
         {
             WriteEvent(FailedToDecodeCaeChallengeClaimsEvent, encodedClaims, exception);
         }
+
+        [Event(FailedToUpdateTransportEvent, Level = EventLevel.Error, Message = "Failed to update transport: {0}")]
+        public void FailedToUpdateTransport(string reason)
+        {
+            if (IsEnabled(EventLevel.Error, EventKeywords.None))
+            {
+                WriteEvent(FailedToUpdateTransportEvent, reason);
+            }
+        }
     }
 }