Skip to content

Remove region as hard requirement for mTLS PoP flows#5902

Open
gladjohn wants to merge 5 commits intomainfrom
gladjohn/remove_region_requirement
Open

Remove region as hard requirement for mTLS PoP flows#5902
gladjohn wants to merge 5 commits intomainfrom
gladjohn/remove_region_requirement

Conversation

@gladjohn
Copy link
Copy Markdown
Contributor

@gladjohn gladjohn commented Apr 3, 2026

Summary

Fixes #5865 — MSAL currently enforces a region for SNI mTLS/PoP scenarios. Since mTLS is now supported on global endpoints, this PR makes region optional.

When a region is configured, MSAL continues to use regional mtlsauth endpoints as before. When no region is available, it now falls back to the global mtlsauth endpoint instead (for example, mtlsauth.microsoft.com).

Changes

Source (3 files)

  • MtlsPopParametersInitializer.cs

    • Removed region-required checks for both explicit mTLS PoP and implicit bearer-over-mTLS flows.

  • AcquireTokenForClientParameterBuilder.cs

    • Removed region validation in Validate().

  • RegionAndMtlsDiscoveryProvider.cs

    • Added GetGlobalMtlsEnvironment() to return global mtlsauth endpoints when no region is available, instead of throwing.

Tests (3 files)

  • MtlsPopTests.cs

    • Updated 2 existing tests from "region required" failures to success using the global endpoint.
    • Added 3 new tests covering global mtlsauth endpoints across public, sovereign, and non-standard clouds.

  • ClientAssertionTests.cs

    • Updated 2 tests from exception-expected to success using the global endpoint.

  • ClientCredentialsMtlsPopTests.cs

    • Added 2 integration tests for no-region scenarios:
      • SNI certificate flow
      • Assertion flow

Behavior

Scenario Before After
Region configured eastus.mtlsauth.microsoft.com eastus.mtlsauth.microsoft.com (unchanged)
No region MsalClientException thrown mtlsauth.microsoft.com (global)
Region auto-detect fails MsalServiceException thrown mtlsauth.microsoft.com (global)

What is preserved

  • Tenanted authority validation is unchanged (/common and /organizations are still rejected).
  • Unsupported host validation is unchanged (for example, login.usgovcloudapi.net and login.chinacloudapi.cn are still rejected where unsupported).
  • Non-login host validation is unchanged.
  • All existing regional endpoint behavior remains unchanged when a region is available.

@gladjohn
Remove region as hard requirement for mTLS PoP flows
7e79cd6 
mTLS is now supported on global endpoints, so region should be optional.
When region is available, regional mtlsauth endpoints are used as before.
When no region is available, the global mtlsauth endpoint is used instead
of throwing an exception.

Changes:
- Remove region null checks in MtlsPopParametersInitializer
- Remove region validation in AcquireTokenForClientParameterBuilder.Validate()
- Add global mTLS endpoint fallback in RegionAndMtlsDiscoveryProvider
- Update tests that expected region-required exceptions to verify success
- Add new unit tests for global mtlsauth endpoints (public, sovereign, non-standard)
- Add integration tests for mTLS PoP without region

Fixes: #5865

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@gladjohn gladjohn requested a review from a team as a code owner April 3, 2026 12:04
Copilot AI review requested due to automatic review settings April 3, 2026 12:04
Copilot AI reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates MSAL.NET’s mTLS PoP behavior so that an Azure region is no longer a hard requirement: when no region is configured or discoverable, MSAL falls back to global mtlsauth endpoints (while preserving existing regional behavior when a region is available).

Changes:

  • Removed “region required” validation for explicit mTLS PoP and implicit bearer-over-mTLS flows.
  • Added global mTLS environment fallback in region/mTLS discovery when region is unavailable.
  • Updated and added unit + integration tests to validate global mtlsauth endpoint behavior across clouds and scenarios.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
tests/Microsoft.Identity.Test.Unit/PublicApiTests/MtlsPopTests.cs Updates existing tests to expect success without region and adds new coverage for global mtlsauth endpoint mapping (public/sovereign/non-standard).
tests/Microsoft.Identity.Test.Unit/PublicApiTests/ClientAssertionTests.cs Updates client-assertion + mTLS scenarios to succeed without region and validate global endpoint usage.
tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ClientCredentialsMtlsPopTests.cs Adds integration coverage for no-region (global endpoint) SNI cert flow and assertion flow.
src/client/Microsoft.Identity.Client/Instance/Discovery/RegionAndMtlsDiscoveryProvider.cs Implements global mtlsauth fallback when region discovery returns empty for mTLS requests.
src/client/Microsoft.Identity.Client/ApiConfig/Parameters/MtlsPopParametersInitializer.cs Removes region-required checks for explicit mTLS PoP and implicit bearer-over-mTLS initialization.
src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs Removes region validation from AcquireTokenForClient builder validation path for mTLS PoP.

Copilot AI review requested due to automatic review settings April 3, 2026 15:58
Copilot AI reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 11 comments.

gladjohn and others added 2 commits April 4, 2026 07:17
@gladjohn
Address PR review feedback
c666d62 
- Use StringComparison.OrdinalIgnoreCase for host.StartsWith checks
  in GetGlobalMtlsEnvironment and GetRegionalizedEnvironment
- Remove unused 'cert' variables in ClientAssertionTests
- Tighten assertions: use exact URI host equality instead of
  StringAssert.Contains for global endpoint validation
- Wrap all global-endpoint tests in EnvVariableContext with
  REGION_NAME cleared for deterministic behavior
- Fix unused appConfig variable in integration test

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@gladjohn
Clear MSAL_FORCE_REGION in all global endpoint tests
c7beffd 
All no-region tests now explicitly clear both REGION_NAME and
MSAL_FORCE_REGION within EnvVariableContext for deterministic behavior
regardless of test runner environment.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 4, 2026 14:22
Copilot AI reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature Request] Remove Non‑Regional Checks from MSAL for mTLS / PoP

2 participants

@gladjohn