Enable mTLS PoP with client assertion flow

[Copilot]

Changes proposed in this request

Enables mTLS Proof-of-Possession when using client assertions by selecting the correct assertion type (jwt-pop vs jwt-bearer) based on certificate presence.

Prior to this change, ClientAssertionDelegateCredential ignored the TokenBindingCertificate property when constructing token requests, always using bearer assertions. The certificate setup in InitMtlsPopParametersAsync was never utilized.

Core change:

• ClientAssertionDelegateCredential.AddConfidentialClientParametersAsync(): Check if mTLS PoP requested and certificate provided, use jwt-pop assertion type accordingly

Usage:

var app = ConfidentialClientApplicationBuilder
    .Create(clientId)
    .WithClientAssertion((opts, ct) => Task.FromResult(new ClientSignedAssertion
    {
        Assertion = "eyJ...",  // Your JWT
        TokenBindingCertificate = cert  // Optional: enables mTLS PoP
    }))
    .WithAzureRegion(region)
    .Build();

// Token request with mTLS binding
var result = await app.AcquireTokenForClient(scopes)
    .WithMtlsProofOfPossession()
    .ExecuteAsync();

// result.BindingCertificate contains the cert used

Testing

Added unit tests:

• ClientAssertion_WithMtlsPop_SuccessAsync: Validates certificate binding, token type, and cache behavior
• ClientAssertion_WithMtlsPop_BearerFlow_SuccessAsync: Validates bearer flow when certificate omitted
• ClientAssertion_WithMtlsPop_SendsJwtPopAssertionTypeAsync: Validates jwt-pop assertion type sent to token endpoint

Performance impact

None. Changes are in assertion type selection logic only.

Documentation

• All relevant documentation is updated.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.