diff --git a/src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs b/src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs index c0b2544849..2d802e43b3 100644 --- a/src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs +++ b/src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs @@ -4,9 +4,6 @@ using System; using System.Collections.Generic; using System.ComponentModel; -using System.Security.Cryptography; -using System.Security.Cryptography.X509Certificates; -using System.Text; using System.Threading; using System.Threading.Tasks; using Microsoft.Identity.Client.ApiConfig.Executors; @@ -15,10 +12,9 @@ using Microsoft.Identity.Client.Extensibility; using Microsoft.Identity.Client.Internal; using Microsoft.Identity.Client.Internal.ClientCredential; -using Microsoft.Identity.Client.ManagedIdentity.V2; using Microsoft.Identity.Client.OAuth2; +using Microsoft.Identity.Client.PlatformsCommon.Shared; using Microsoft.Identity.Client.TelemetryCore.Internal.Events; -using Microsoft.Identity.Client.Utils; namespace Microsoft.Identity.Client { @@ -100,14 +96,25 @@ public AcquireTokenForClientParameterBuilder WithSendX5C(bool withSendX5C) /// The current instance of to enable method chaining. public AcquireTokenForClientParameterBuilder WithMtlsProofOfPossession() { -#if NET462 if (ServiceBundle.Config.IsManagedIdentity) { - throw new MsalClientException( - MsalError.MtlsNotSupportedForManagedIdentity, - MsalErrorMessage.MtlsNotSupportedForManagedIdentityMessage); - } + void MtlsNotSupportedForManagedIdentity(string message) + { + throw new MsalClientException( + MsalError.MtlsNotSupportedForManagedIdentity, + message); + } + + if (!DesktopOsHelper.IsWindows()) + { + MtlsNotSupportedForManagedIdentity(MsalErrorMessage.MtlsNotSupportedForNonWindowsMessage); + } + +#if NET462 + MtlsNotSupportedForManagedIdentity(MsalErrorMessage.MtlsNotSupportedForManagedIdentityMessage); #endif + } + if (ServiceBundle.Config.ClientCredential is CertificateClientCredential certificateCredential) { if (certificateCredential.Certificate == null) diff --git a/src/client/Microsoft.Identity.Client/MsalErrorMessage.cs b/src/client/Microsoft.Identity.Client/MsalErrorMessage.cs index aceaaa3e50..92d4e06840 100644 --- a/src/client/Microsoft.Identity.Client/MsalErrorMessage.cs +++ b/src/client/Microsoft.Identity.Client/MsalErrorMessage.cs @@ -442,6 +442,7 @@ public static string InvalidTokenProviderResponseValue(string invalidValueName) public const string MtlsInvalidAuthorityTypeMessage = "mTLS PoP is only supported for AAD authority type. See https://aka.ms/msal-net-pop for details."; public const string MtlsNonTenantedAuthorityNotAllowedMessage = "mTLS authentication requires a tenanted authority. Using 'common', 'organizations', or similar non-tenanted authorities is not allowed. Please provide an authority with a specific tenant ID (e.g., 'https://login.microsoftonline.com/{tenantId}'). See https://aka.ms/msal-net-pop for details."; public const string MtlsNotSupportedForManagedIdentityMessage = "IMDSv2 flow is not supported on .NET Framework 4.6.2. Cryptographic operations required for managed identity authentication are unavailable on this platform."; + public const string MtlsNotSupportedForNonWindowsMessage = "mTLS PoP with Managed Identity is not supported on this OS. See https://aka.ms/msal-net-pop."; public const string RegionRequiredForMtlsPopMessage = "Regional auto-detect failed. mTLS Proof-of-Possession requires a region to be specified, as there is no global endpoint for mTLS. See https://aka.ms/msal-net-pop for details."; public const string ForceRefreshAndTokenHasNotCompatible = "Cannot specify ForceRefresh and AccessTokenSha256ToRefresh in the same request."; public const string RequestTimeOut = "Request to the endpoint timed out.";