[Feature Request] ManagedCertificate enforcement support

[bgavrilMS]

MSAL client type

Confidential

Problem statement

MSAL

In order to enforce the managed certificate credential, the following states should be covered:

1. old MSAL, old cert -> no-op, will continue to work
2. new MSAL, old cert -> no-op, will continue to work
3. old MSAL, new cert -> the STS stops them (based on MSAL version + certificate subject name and issuer)
4. new MSAL, new cert, bad API -> MSAL stops this based
5. new MSAL, new cert, good API -> will work

Note: the "bad" API is the existing .WithCertificate(x509cert) API, and the new API .WithManagedCertificate() lives in 1p repository

In order to support states 4 and 5, the SDK will perform 2 checks:

• it will check that the certificate is managed (based on subject name or issuer, details tbd)
• it will check if the good API is used. To distinguish between "good" and "bad" API, the MSAL extension will send a flag to MSAL. This flag will not be sent to the STS. 1p extension can use the WithExtraQueryParameters existing API with a special key-value pair or a new API WithFeatureFlag can be created if needed.

Identity.Web

1. old Id.Web, old cert -> ok
2. new Id.Web, old cert -> ok
3. old Id.Web, new cert -> the STS stops them, due to transitive use of MSAL
4. new MISE, new cert, bad API -> relies on MSAL to fail
5. new MISE, new cert, good API -> MISE sets the flag API e.g. WithExtraQueryParameters("good_api", "1") on MSAL

Proposed solution

No response

Alternatives

No response