Skip to content

MSI POP Attestation #5612

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Robbie-Microsoft wants to merge 17 commits into
base: main
Choose a base branch
from
Open

MSI POP Attestation #5612

Robbie-Microsoft wants to merge 17 commits into from

Conversation

@Robbie-Microsoft
Copy link
Contributor

@Robbie-Microsoft Robbie-Microsoft commented Dec 8, 2025

Implements #5591

@Robbie-Microsoft Robbie-Microsoft marked this pull request as ready for review December 8, 2025 18:22
@Robbie-Microsoft Robbie-Microsoft requested a review from a team as a code owner December 8, 2025 18:22
gladjohn
gladjohn reviewed Dec 8, 2025
View reviewed changes
bgavrilMS
bgavrilMS reviewed Dec 11, 2025
View reviewed changes
gladjohn
gladjohn reviewed Dec 11, 2025
View reviewed changes
...ent/Microsoft.Identity.Client.KeyAttestation/Microsoft.Identity.Client.KeyAttestation.csproj
<Version>$(MicrosoftIdentityClientVersion)-preview</Version>
<!-- Copyright needs to be in the form of © not (c) to be compliant -->
<Title>MSAL.NET extension for managed identity proof-of-possession flows</Title>
<Title>MSAL.NET extension for KeyGuard attestation support</Title>
Copy link
Contributor

@gladjohn gladjohn Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the feature GA'd under this name - https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/

Copy link
Contributor Author

@Robbie-Microsoft Robbie-Microsoft Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What action do you want me to take here? CC @bgavrilMS

Copy link
Member

@bgavrilMS bgavrilMS Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All comments should refer to this as Credential Guard.

tests/Microsoft.Identity.Test.E2e/Microsoft.Identity.Test.E2E.MSI.csproj
<ItemGroup>
<ProjectReference Include="..\..\src\client\Microsoft.Identity.Client\Microsoft.Identity.Client.csproj" />
<ProjectReference Include="..\..\src\client\Microsoft.Identity.Client.MtlsPop\Microsoft.Identity.Client.MtlsPop.csproj" />
<ProjectReference Include="..\..\src\client\Microsoft.Identity.Client.KeyAttestation\Microsoft.Identity.Client.KeyAttestation.csproj" />
Copy link
Contributor

@gladjohn gladjohn Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we may also need to fix the OneBranch release pipeline and update the project name

bgavrilMS
bgavrilMS reviewed Dec 17, 2025
View reviewed changes
src/client/Microsoft.Identity.Client.KeyAttestation/Attestation/KeyGuardAttestationProvider.cs
/// Static initializer that registers the KeyGuard attestation provider
/// when the KeyAttestation assembly is loaded.
/// </summary>
internal static class AttestationProviderInitializer
Copy link
Member

@bgavrilMS bgavrilMS Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 file per class pls

bgavrilMS
bgavrilMS reviewed Dec 17, 2025
View reviewed changes
src/client/Microsoft.Identity.Client.KeyAttestation/Attestation/KeyGuardAttestationProvider.cs
/// Implementation of IAttestationProvider for KeyGuard attestation.
/// This provider is automatically registered when the KeyAttestation package is loaded.
/// </summary>
internal class KeyGuardAttestationProvider : IAttestationProvider
Copy link
Member

@bgavrilMS bgavrilMS Dec 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this PR is doing too much. The existing logic just sets builder.CommonParameters.AttestationTokenProvider. Why does this need to change with introduction of registry, new interfaces and classes etc. I do not understand the new design.

bgavrilMS
bgavrilMS reviewed Dec 17, 2025
View reviewed changes
src/client/Microsoft.Identity.Client/Properties/InternalsVisibleTo.cs
[assembly: InternalsVisibleTo("Microsoft.Identity.Client.Desktop.WinUI3" + KeyTokens.MSAL)]
[assembly: InternalsVisibleTo("Microsoft.Identity.Client.Broker" + KeyTokens.MSAL)]
[assembly: InternalsVisibleTo("Microsoft.Identity.Client.MtlsPop" + KeyTokens.MSAL)]
[assembly: InternalsVisibleTo("Microsoft.Identity.Client.KeyAttestation" + KeyTokens.MSAL)]
Copy link
Member

@bgavrilMS bgavrilMS Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the AI was actually trying to eliminate this InternalsVisibleTo and came up with this new design. But you kept it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bgavrilMS bgavrilMS bgavrilMS left review comments

@gladjohn gladjohn Awaiting requested review from gladjohn

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Robbie-Microsoft @bgavrilMS @gladjohn