Skip to content

Add mTLS PoP validation for unsupported and non-login hosts #5684

Merged
gladjohn merged 13 commits intomainfrom
copilot/add-mtls-error-code-support
Jan 30, 2026
Merged

Add mTLS PoP validation for unsupported and non-login hosts #5684
gladjohn merged 13 commits intomainfrom
copilot/add-mtls-error-code-support

Conversation

Copy link
Contributor

Copilot AI commented Jan 28, 2026
edited by gladjohn
Loading

Changes proposed in this request

This pull request adds robust validation and error handling for mTLS Proof-of-Possession (PoP) support in sovereign and non-standard cloud environments. It introduces explicit checks to prevent the use of unsupported hosts for mTLS PoP, provides clear error messages, and expands test coverage to ensure correct behavior.

Key changes include:

mTLS PoP Validation and Error Handling

  • Added a mapping of unsupported sovereign cloud hosts for mTLS PoP (such as login.usgovcloudapi.net and login.chinacloudapi.cn) to specific error messages, and implemented fail-fast logic in RegionAndMtlsDiscoveryProvider to throw a clear exception if these hosts are used. Also, enforced that mTLS PoP is only supported for hosts starting with login..
  • Introduced a new error code MsalError.MtlsPopNotSupportedForEnvironment and corresponding error messages for unsupported hosts and non-login. hosts. [1] [2]

Public API Updates

  • Added the new error code MsalError.MtlsPopNotSupportedForEnvironment to the public API surface for multiple target frameworks. [1] [2] [3]

Test Coverage Improvements

  • Updated unit tests to remove cases for unsupported hosts from positive test scenarios and added new tests to verify that exceptions are thrown for unsupported sovereign and non-login. hosts, ensuring correct error codes and messages are returned. [1] [2]

Miscellaneous

  • Added a using System.Collections.Generic; directive to support the new dictionary in RegionAndMtlsDiscoveryProvider.
  • Added a test result log file.

These changes make the library more robust and user-friendly by preventing misconfiguration and providing clear guidance when unsupported environments are used.

Testing

No functional changes. Verified clean working tree and successful build.

Performance impact

None. Repository cleanup only.

Documentation

  • All relevant documentation is updated.

Copilot AI and others added 2 commits January 28, 2026 20:53
@gladjohn
Add mTLS PoP blocking for unsupported sovereign hosts
8d362e3 
Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>
@gladjohn
Address code review feedback - improve error messages and host compar…
154ecd2 
…ison

Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>
Copilot AI changed the title [WIP] Add error code for unsupported mTLS PoP hosts Block mTLS PoP for unsupported sovereign cloud endpoints Jan 28, 2026
Copilot AI requested a review from gladjohn January 28, 2026 21:17
gladjohn
gladjohn reviewed Jan 28, 2026
View reviewed changes
@gladjohn
Update public API files for new MsalError constant
530e82a 
Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>
Copilot AI requested a review from gladjohn January 28, 2026 21:35
@gladjohn
Copy link
Contributor

gladjohn commented Jan 28, 2026

well done @copilot, I am marking this PR ready for review now.

@gladjohn gladjohn marked this pull request as ready for review January 28, 2026 21:49
@gladjohn gladjohn requested a review from a team as a code owner January 28, 2026 21:49
@gladjohn gladjohn mentioned this pull request Jan 28, 2026
Merged
1 task
@neha-bhargava neha-bhargava self-requested a review January 29, 2026 00:50
@gladjohn
Refactor mTLS validation: use dictionary and move to fail-fast position
b20d273 
Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Jan 29, 2026

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • contoso.adfs.contoso.com
    • Triggering command: /usr/share/dotnet/dotnet /usr/share/dotnet/dotnet exec --runtimeconfig /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/Microsoft.Identity.Test.Unit.runtimeconfig.json --depsfile /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/Microsoft.Identity.Test.Unit.deps.json /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/testhost.dll --port 37569 --endpoint 127.0.0.1:037569 --role client --parentprocessid 4513 --telemetryoptedin false (dns block)
    • Triggering command: /usr/share/dotnet/dotnet /usr/share/dotnet/dotnet exec --runtimeconfig /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/Microsoft.Identity.Test.Unit.runtimeconfig.json --depsfile /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/Microsoft.Identity.Test.Unit.deps.json /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/testhost.dll --port 43979 --endpoint 127.0.0.1:043979 --role client --parentprocessid 4597 --telemetryoptedin false (dns block)
  • contoso.b2clogin.com
    • Triggering command: /usr/share/dotnet/dotnet /usr/share/dotnet/dotnet exec --runtimeconfig /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/Microsoft.Identity.Test.Unit.runtimeconfig.json --depsfile /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/Microsoft.Identity.Test.Unit.deps.json /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/testhost.dll --port 37569 --endpoint 127.0.0.1:037569 --role client --parentprocessid 4513 --telemetryoptedin false (dns block)
    • Triggering command: /usr/share/dotnet/dotnet /usr/share/dotnet/dotnet exec --runtimeconfig /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/Microsoft.Identity.Test.Unit.runtimeconfig.json --depsfile /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/Microsoft.Identity.Test.Unit.deps.json /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/testhost.dll --port 43979 --endpoint 127.0.0.1:043979 --role client --parentprocessid 4597 --telemetryoptedin false (dns block)
  • some.url.dsts.core.azure-test.net
    • Triggering command: /usr/share/dotnet/dotnet /usr/share/dotnet/dotnet exec --runtimeconfig /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/Microsoft.Identity.Test.Unit.runtimeconfig.json --depsfile /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/Microsoft.Identity.Test.Unit.deps.json /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/testhost.dll --port 37569 --endpoint 127.0.0.1:037569 --role client --parentprocessid 4513 --telemetryoptedin false (dns block)
    • Triggering command: /usr/share/dotnet/dotnet /usr/share/dotnet/dotnet exec --runtimeconfig /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/Microsoft.Identity.Test.Unit.runtimeconfig.json --depsfile /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/Microsoft.Identity.Test.Unit.deps.json /home/REDACTED/work/microsoft-authentication-library-for-dotnet/microsoft-authentication-library-for-dotnet/tests/Microsoft.Identity.Test.Unit/bin/Debug/net8.0/testhost.dll --port 43979 --endpoint 127.0.0.1:043979 --role client --parentprocessid 4597 --telemetryoptedin false (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI requested a review from gladjohn January 29, 2026 01:03
@gladjohn
Move Dictionary to using statement instead of fully qualified name
57109cf 
Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>
Copilot AI changed the title Add mTLS PoP validation for unsupported and non-login hosts Block mTLS PoP for unsupported sovereign hosts and enforce login.* prefix Jan 30, 2026
@gladjohn
Remove accidentally committed .mono build artifacts and update .gitig…
00c708f 
…nore

Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>
Copilot AI changed the title Block mTLS PoP for unsupported sovereign hosts and enforce login.* prefix Remove accidentally committed .mono build artifacts Jan 30, 2026
@gladjohn gladjohn changed the title Remove accidentally committed .mono build artifacts Add mTLS PoP validation for unsupported and non-login hosts Jan 30, 2026
@gladjohn gladjohn enabled auto-merge (squash) January 30, 2026 15:58
@gladjohn gladjohn mentioned this pull request Jan 30, 2026
Merged
@gladjohn gladjohn merged commit e036eb1 into main Jan 30, 2026
11 checks passed
@gladjohn gladjohn deleted the copilot/add-mtls-error-code-support branch January 30, 2026 18:26
neha-bhargava
neha-bhargava reviewed Jan 30, 2026
View reviewed changes
test_results.txt
@@ -0,0 +1,23 @@
Build started 01/29/2026 14:27:45.
Copy link
Contributor

@neha-bhargava neha-bhargava Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this file needed? Remove?

Copilot AI added a commit that referenced this pull request Jan 30, 2026
@gladjohn
Add mTLS PoP validation for unsupported and non-login hosts (#5684)
9976d6b 
* Initial plan

* Add mTLS PoP blocking for unsupported sovereign hosts

Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>

* Address code review feedback - improve error messages and host comparison

Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>

* Update public API files for new MsalError constant

Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>

* Refactor mTLS validation: use dictionary and move to fail-fast position

Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>

* Make error messages public and add validation for non-login hosts

Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>

* Revert error message constants from public to internal

Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>

* Change error message constants from internal to public for consistency

Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>

* Fix static field naming to follow s_camelCase convention

Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>

* Move Dictionary to using statement instead of fully qualified name

Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>

* Remove accidentally committed .mono build artifacts and update .gitignore

Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>

* Delete mtls_pop_test_results.txt

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>
Copilot AI mentioned this pull request Jan 31, 2026
Merged
1 task
This was referenced Feb 3, 2026
Open
Closed
Open
Merged
Closed
Closed
Closed
Closed
Open
Closed
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@neha-bhargava neha-bhargava neha-bhargava approved these changes

@bgavrilMS bgavrilMS bgavrilMS approved these changes

@trwalke trwalke trwalke approved these changes

+1 more reviewer

@gladjohn gladjohn gladjohn approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@gladjohn gladjohn

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@gladjohn @bgavrilMS @trwalke @neha-bhargava