Merge branch 'rginsburg/msiv2_feature_branch' into rginsburg/msiv2_probe

Author: Robbie-Microsoft

CHANGELOG.md

@@ -1,3 +1,13 @@
+4.73.1
+======
+
+### Features
+Deprecate AcquireTokenByIntegratedWindowsAuth API in https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5345
+
+### Bug fixes
+Update native interop to 0.19.2 by @fengga in https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5362 to solve broker bugs
+update the deprecated openURL(:) api to openURL(:options:completionHandler) in https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5354
+
 4.73.0
 =======
 

Directory.Packages.props

@@ -80,7 +80,6 @@
     <PackageVersion Include="System.ValueTuple" Version="4.5.0" />
     <PackageVersion Include="System.Windows.Forms" Version="4.0.0" />
     <PackageVersion Include="CommandLineParser" Version="2.8.0" />
-    <PackageVersion Include="System.Formats.Asn1" Version="9.0.0"/>
-
+    <PackageVersion Include="System.Formats.Asn1" Version="9.0.0" />
   </ItemGroup>
 </Project>

prototype/MsiWithSlc/MsiSlcPublicApis/MsiSlcPublicApis.sln

@@ -0,0 +1,25 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.14.36221.1 d17.14
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MsiSlcPublicApis", "MsiSlcPublicApis\MsiSlcPublicApis.csproj", "{8EF999FD-BFAA-4FA7-BDD7-2720712A6917}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{8EF999FD-BFAA-4FA7-BDD7-2720712A6917}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{8EF999FD-BFAA-4FA7-BDD7-2720712A6917}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{8EF999FD-BFAA-4FA7-BDD7-2720712A6917}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{8EF999FD-BFAA-4FA7-BDD7-2720712A6917}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {07C66F36-6EFF-4CF0-8479-92C14D60BEC9}
+	EndGlobalSection
+EndGlobal

prototype/MsiWithSlc/MsiSlcPublicApis/MsiSlcPublicApis/MsiSlcPublicApis.csproj

@@ -0,0 +1,15 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net8.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Identity.Client" />
+    <PackageReference Include="Microsoft.IdentityModel.Abstractions" />
+  </ItemGroup>
+
+</Project>

prototype/MsiWithSlc/MsiSlcPublicApis/MsiSlcPublicApis/Program.cs

@@ -0,0 +1,103 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.Identity.Client;
+using Microsoft.Identity.Client.AppConfig;
+using Microsoft.IdentityModel.Abstractions;
+using System;
+using System.Security.Cryptography.X509Certificates;
+using System.Runtime.InteropServices;
+using System.Threading.Tasks;
+
+internal class Program
+{
+    private static async Task Main()
+    {
+        // ─── 0. Environment banner ────────────────────────────────────────────────
+        Console.WriteLine(new string('═', 70));
+        
+        // ─── 1. Certificate events ────────────────────────────────────────────────
+        ManagedIdentityApplication.BindingCertificateUpdated += c =>
+        {
+            Console.WriteLine($"\n[{Now()}] Event Fired -  BindingCertificateUpdated:");
+            PrintCertificate(c);
+        };
+
+        // ─── 2. Managed-identity source & certs ───────────────────────────────────
+        var source = await ManagedIdentityApplication.GetManagedIdentitySourceAsync()
+                                                     .ConfigureAwait(false);
+        Console.WriteLine($"\n[{Now()}] Managed Identity Source: {source}");
+
+        var cert = ManagedIdentityApplication.GetManagedIdentityBindingCertificate();
+        PrintCertificate(cert, "Initial Managed-Identity Binding Certificate");
+
+        //sleep for 5 second so we can see different timestamps
+        Thread.Sleep(5000);
+        
+        cert = ManagedIdentityApplication.ForceUpdateInMemoryCertificate();
+        PrintCertificate(cert, "Forced NEW Managed-Identity Binding Certificate");
+
+        // ─── 3. Build MI app ──────────────────────────────────────────────────────
+        IIdentityLogger logger = new IdentityLogger();
+        IManagedIdentityApplication mi = ManagedIdentityApplicationBuilder
+                                         .Create(ManagedIdentityId.SystemAssigned)
+                                         .WithExperimentalFeatures()
+                                         .WithLogging(logger, true)
+                                         .Build();
+
+        // ─── 4. Token-acquisition loop ───────────────────────────────────────────
+        string scope = "https://vault.azure.net/";
+        while (true)
+        {
+            Console.WriteLine($"\n[{Now()}] Acquiring token for scope → {scope}");
+            try
+            {
+                var result = await mi.AcquireTokenForManagedIdentity(scope)
+                                     //.WithProofOfPossession()
+                                     .ExecuteAsync()
+                                     .ConfigureAwait(false);
+
+                Console.WriteLine($"[{Now()}] ✅  Success (expires {result.ExpiresOn:HH:mm:ss})");
+                Console.WriteLine($"Access-Token (first 100 chars): {result.AccessToken[..100]}…");
+            }
+            catch (MsalServiceException ex)
+            {
+                Console.ForegroundColor = ConsoleColor.Red;
+                Console.WriteLine($"[{Now()}] ❌  {ex.ErrorCode}: {ex.Message}");
+                Console.ResetColor();
+            }
+
+            Console.Write("\nEnter new scope or 'q' to quit: ");
+            var input = Console.ReadLine();
+            if (string.Equals(input, "q", StringComparison.OrdinalIgnoreCase))
+                break;
+            if (!string.IsNullOrWhiteSpace(input))
+                scope = input.Trim();
+        }
+    }
+
+    // ─── Helpers ────────────────────────────────────────────────────────────────
+
+    private static string Now() => DateTimeOffset.Now.ToString("yyyy-MM-dd HH:mm:ss");
+
+    private static void PrintCertificate(X509Certificate2 cert, string? title = null)
+    {
+        Console.WriteLine("\n" + (title ?? "Certificate details") + "\n" + new string('-', 60));
+        Console.WriteLine($"Subject     : {cert.Subject}");
+        Console.WriteLine($"Issuer      : {cert.Issuer}");
+        Console.WriteLine($"Serial #    : {cert.SerialNumber}");
+        Console.WriteLine($"Not Before  : {cert.NotBefore:yyyy-MM-dd HH:mm:ss}");
+        Console.WriteLine($"Not After   : {cert.NotAfter:yyyy-MM-dd HH:mm:ss}");
+        Console.WriteLine($"Thumbprint  : {cert.Thumbprint}");
+        Console.WriteLine(new string('-', 60));
+    }
+}
+
+/// <summary>Minimal ILogger that pipes everything to Console.</summary>
+class IdentityLogger : IIdentityLogger
+{
+    public EventLogLevel MinLogLevel => EventLogLevel.Verbose;
+    public bool IsEnabled(EventLogLevel level) => level <= MinLogLevel;
+
+    public void Log(LogEntry entry) => Console.WriteLine($"[{DateTimeOffset.Now:HH:mm:ss}] {entry.Message}");
+}

prototype/MsiWithSlc/readme.md

@@ -0,0 +1,33 @@
+# Managed Identity – SLC Prototype Demo
+
+This sample showcases **certificate rotation** and **token acquisition** against the **prototype SLC endpoint** using MSAL’s *experimental* Managed-Identity flow.
+
+---
+
+## ✨ What the demo does
+
+1. **Detects the Managed-Identity source** (should be `Credential` when the SLC endpoint is live).  
+2. **Creates an in-memory binding certificate (`CN=devicecert.mtlsauth.local`).  
+3. **Raises `BindingCertificateUpdated`** whenever MSAL generates a fresh cert (7-day lifetime in this prototype).  
+4. **Calls the SLC `/credential` endpoint** over mTLS and exchanges the credential for an **AAD access token** (default scope `https://vault.azure.net/`).  
+
+---
+
+## 🛠️ Prerequisites
+
+| Requirement        | Version / Notes                            |
+|--------------------|--------------------------------------------|
+| .NET SDK           | **8.0.100** or later                      |
+| MSAL .NET          | **4.72.3 preview** (included via [`Microsoft.Identity.Client`](https://www.nuget.org/packages/Microsoft.Identity.Client/4.72.3-slc-preview)) |
+| Access to SLC host | VM/VMSS image with the prototype **SLC agent** enabled |
+| Managed Identity   | System-assigned (or override in code)      |
+
+> **Local run tip**: launch from an Azure VM/VMSS that already has the SLC agent bits; the demo will fail on a dev box without the endpoint.
+
+---
+
+## 🚀 Running the sample
+
+```bash
+dotnet restore
+dotnet run --configuration Release

tests/Microsoft.Identity.Test.Integration.netcore/Infrastructure/SeleniumExtensions.cs

@@ -22,44 +22,81 @@ public static class SeleniumExtensions
         private static readonly TimeSpan ExplicitTimespan = TimeSpan.FromSeconds(20);
         private static readonly TimeSpan ShortExplicitTimespan = TimeSpan.FromSeconds(5);
 
-        public static IWebDriver CreateDefaultWebDriver()
+        public static IWebDriver CreateDefaultWebDriver(int maxRetries = 3, int timeoutSeconds = 30)
         {
-            // ---------- Chrome launch flags ----------
-            var options = new ChromeOptions();
-            options.AddArguments(
-                "--headless=new",          // modern headless mode (remove this for debugging)
-                "--disable-gpu",
-                "--window-size=1920,1080",
-                "--remote-allow-origins=*",
-                "--disable-dev-shm-usage"); // avoids crashes in low-memory containers
-
-            // ---------- Pick a driver binary ----------
-            // 1) Prefer explicit env-var so devs can override locally
-            var driverDir = Environment.GetEnvironmentVariable("CHROMEWEBDRIVER");
-
-            // 2) Otherwise use the folder where CI drops a matching chromedriver
-            if (string.IsNullOrEmpty(driverDir))
+
+            for (int attempt = 1; attempt <= maxRetries; attempt++)
             {
-                driverDir = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "drivers");
-            }
+                try
+                {
+                    Trace.WriteLine($"[Selenium] Creating Chrome WebDriver (attempt {attempt}/{maxRetries})");
+
+                    // ---------- Chrome launch flags ----------
+                    var options = new ChromeOptions();
+                    options.AddArguments(
+                        "--headless=new",          // modern headless mode (remove this for debugging)
+                        "--disable-gpu",
+                        "--window-size=1920,1080",
+                        "--remote-allow-origins=*",
+                        "--disable-dev-shm-usage"); // avoids crashes in low-memory containers
+
+                    // Additional options to improve stability
+                    options.PageLoadStrategy = PageLoadStrategy.Eager;
+
+                    // ---------- Pick a driver binary ----------
+                    // 1) Prefer explicit env-var so devs can override locally
+                    var driverDir = Environment.GetEnvironmentVariable("CHROMEWEBDRIVER");
+
+                    // 2) Otherwise use the folder where CI drops a matching chromedriver
+                    if (string.IsNullOrEmpty(driverDir))
+                    {
+                        driverDir = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "drivers");
+                    }
 
-            // 3) Fallback: let Selenium look on PATH
-            ChromeDriverService service = string.IsNullOrEmpty(driverDir)
-                ? ChromeDriverService.CreateDefaultService()
-                : ChromeDriverService.CreateDefaultService(driverDir);
+                    // 3) Fallback: let Selenium look on PATH
+                    ChromeDriverService service = string.IsNullOrEmpty(driverDir)
+                        ? ChromeDriverService.CreateDefaultService()
+                        : ChromeDriverService.CreateDefaultService(driverDir);
 
-            service.HideCommandPromptWindow = true;
-            service.EnableVerboseLogging = true;
+                    service.HideCommandPromptWindow = true;
+                    service.EnableVerboseLogging = true;
+
+                    var driver = new ChromeDriver(
+                        service,
+                        options,
+                        TimeSpan.FromSeconds(timeoutSeconds));
+
+                    driver.Manage().Timeouts().ImplicitWait = ImplicitTimespan;
+
+                    try
+                    {
+                        driver.Navigate().GoToUrl("about:blank");
+                        // If this succeeds, the browser is responding
+                    }
+                    catch (Exception)
+                    {
+                        driver.Dispose();
+                        throw;
+                    }
 
-            var driver = new ChromeDriver(
-                service,
-                options,
-                TimeSpan.FromSeconds(120));       // generous startup timeout
+                    TryMaximize(driver);
+                    Trace.WriteLine($"[Selenium] Chrome WebDriver created successfully");
+                    return driver;
+                }
+                catch (Exception ex)
+                {
+                    if (attempt == maxRetries)
+                    {
+                        Trace.WriteLine($"[Selenium] Failed to create Chrome WebDriver after {maxRetries} attempts. Last error: {ex.Message}");
+                        throw;
+                    }
 
-            driver.Manage().Timeouts().ImplicitWait = ImplicitTimespan;
+                    Thread.Sleep(1000);
+                }
+            }
 
-            TryMaximize(driver);
-            return driver;
+            // This should never be reached due to the throw in the catch block on the last attempt
+            throw new InvalidOperationException("Failed to create Chrome WebDriver");
         }
 
         private static void TryMaximize(IWebDriver driver)
@@ -311,7 +348,7 @@ private static void EnterUsername(IWebDriver driver, LabUser user, bool withLogi
                     {
                         Trace.WriteLine("No, workaround failed");
                     }
-                }               
+                }
             }
         }
 

tests/Microsoft.Identity.Test.Integration.netcore/SeleniumTests/InteractiveFlowTests.NetFwk.cs

@@ -399,7 +399,7 @@ private SeleniumWebUI CreateSeleniumCustomWebUIForDuende(string username, string
         }
 
         #region Azure AD Kerberos Feature Tests
-        [IgnoreOnOneBranch]
+        [Ignore]
         public async Task Kerberos_Interactive_AADAsync()
         {
             LabResponse labResponse = await LabUserHelper.GetDefaultUserAsync().ConfigureAwait(false);