Enable mTLS Proof‑of‑Possession for Client‑Assertion Delegates

[gladjohn]

Fixes #5398

Changes proposed in this request
This pull request introduces significant enhancements to the mutual TLS Proof-of-Possession (mTLS PoP) functionality, refactors client assertion handling, and updates public APIs to support these changes. The most important changes include adding support for certificate-bound client assertions, refactoring the ClientCredential classes, and introducing new public APIs for client assertion configuration.

Enhancements to mTLS Proof-of-Possession:

• Refactored WithMtlsProofOfPossession method: Updated the method to handle multiple credential types (CertificateClientCredential and ClientAssertionDelegateCredential) and added logic for certificate-bound client assertions. Improved error handling for cases where certificates are not provided. (src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs, src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.csL99-R126)
• Updated error messages: Enhanced the error message for missing certificates in mTLS PoP to include guidance for configuring applications or chaining methods. (src/client/Microsoft.Identity.Client/MsalErrorMessage.cs, src/client/Microsoft.Identity.Client/MsalErrorMessage.csL439-R439)

Refactoring of Client Assertion Handling:

• Introduced ClientAssertionDelegateCredential: Added a new class to handle client assertions supplied via a delegate, supporting JWTs with optional certificates for mTLS PoP. This replaces the removed SignedAssertionDelegateClientCredential class. (src/client/Microsoft.Identity.Client/Internal/ClientCredential/ClientAssertionDelegateCredential.cs, [1]; src/client/Microsoft.Identity.Client/Internal/ClientCredential/SignedAssertionDelegateClientCredential.cs, [2]
• Support for JWT-PoP assertion type: Added a new constant for JWT-PoP assertion type in OAuth2 parameters to support certificate-bound assertions. (src/client/Microsoft.Identity.Client/OAuth2/OAuthConstants.cs, src/client/Microsoft.Identity.Client/OAuth2/OAuthConstants.csR69)

Updates to Public APIs:

• Added AssertionResponse class: Introduced a new public class to encapsulate client assertions and optional certificates for token binding. (src/client/Microsoft.Identity.Client/AppConfig/AssertionResponse.cs, src/client/Microsoft.Identity.Client/AppConfig/AssertionResponse.csR1-R22)
• Enhanced WithClientAssertion methods: Refactored existing methods to use the new AssertionResponse class and added a new overload for configuring client assertions with certificate binding. (src/client/Microsoft.Identity.Client/AppConfig/ConfidentialClientApplicationBuilder.cs, [1] [2] [3]
• Public API declarations: Updated PublicAPI.Unshipped.txt files across multiple frameworks to include new APIs for client assertion configuration. (src/client/Microsoft.Identity.Client/PublicApi/net462/PublicAPI.Unshipped.txt, [1]; src/client/Microsoft.Identity.Client/PublicApi/net472/PublicAPI.Unshipped.txt, [2]; src/client/Microsoft.Identity.Client/PublicApi/net8.0-android/PublicAPI.Unshipped.txt, [3]

Miscellaneous Changes:

• Added IsExternalInit for backward compatibility: Introduced a compatibility shim for IsExternalInit to support init properties on older frameworks. (src/client/Microsoft.Identity.Client/IsExternalInit.cs, src/client/Microsoft.Identity.Client/IsExternalInit.csR1-R11)
• Minor formatting fixes: Corrected encoding issues in copyright headers. (src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs, src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.csL1-R1)

These changes collectively improve the flexibility and robustness of client assertion handling and enhance support for mTLS PoP scenarios.

Testing
unit

Performance impact
none

Documentation

• All relevant documentation is updated.

[bgavrilMS]

Don't use GetAwaiter / GetResult