[BUG] OnBehalfOfCredentialOptions.SendCertificateChain value isn't sent to MSAL while getting a token

[degant]

Library name and version

Azure.Identity 1.5.0

Describe the bug

I'm trying to request an OBO token using Azure.Identity. We were previously doing this using MSAL directly but now trying to move over to Azure.Identity. Here's what I tried:

var credential = new OnBehalfOfCredential(tenantId, clientId, clientCertificate, userAssertion, new OnBehalfOfCredentialOptions()
{
    SendCertificateChain = true,
});

When I try this I get an error back from AAD:

Microsoft.Identity.Client.MsalServiceException (0x80131500): AADSTS70003: The app requested an unsupported grant type 'urn:ietf:params:oauth:grant-type:jwt-bearer'

I enabled logging for azure-sdk-net and noticed that MSAL has SendX5C set to false even though I passed it as true into the OBOCredential object:

3/21/2022 4:38:51 PM OnBehalfOfCredential.GetToken invoked. Scopes: [ https://graph.microsoft.com/.default ] ParentRequestId:
3/21/2022 4:38:55 PM False MSAL 4.36.1.0 MSAL.NetCore .NET Core 3.1.0 Microsoft Windows 10.0.22000 [03/21 23:38:51.88 - 06a96b08-14d3-4957-b0c5-09a189a1dec9] MSAL MSAL.NetCore with assembly version '4.36.1.0'. CorrelationId(06a96b08-14d3-4957-b0c5-09a189a1dec9)
3/21/2022 4:38:57 PM False MSAL 4.36.1.0 MSAL.NetCore .NET Core 3.1.0 Microsoft Windows 10.0.22000 [03/21 23:38:55.77 - 06a96b08-14d3-4957-b0c5-09a189a1dec9] === OnBehalfOfParameters ===
SendX5C: False
ForceRefresh: False

I tried to follow the code to see if I was missing some other property. Here's what I found so far.

• OnBehalfOfCredential does pass in the property SendCertificateChain into MsalConfidentialClient
• MsalConfidentialClient initializes the property _includeX5CClaimHeader
• However _includeX5CClaimHeader is not used while building the IConfidentialClientApplication in AcquireTokenOnBehalfOf(). It is being used only during AcquireTokenForClientAsync() which is used by ClientCertificateCredential and ClientSecretCredential

Based on my limited knowledge, this could be fixed by passing .WithSendX5C(_includeX5CClaimHeader) while building the client during the OBO flow at this line but I could be wrong. Happy to send out a PR, let me know if this makes sense.

Expected behavior

OnBehalfOfCredential should leverage OnBehalfOfCredentialOptions.SendCertificateChain and pass it into MSAL

Actual behavior

OnBehalfOfCredential isn't passing in OnBehalfOfCredentialOptions.SendCertificateChain to MSAL:

3/21/2022 4:38:51 PM OnBehalfOfCredential.GetToken invoked. Scopes: [ https://graph.microsoft.com/.default ] ParentRequestId:
3/21/2022 4:38:55 PM False MSAL 4.36.1.0 MSAL.NetCore .NET Core 3.1.0 Microsoft Windows 10.0.22000 [03/21 23:38:51.88 - 06a96b08-14d3-4957-b0c5-09a189a1dec9] MSAL MSAL.NetCore with assembly version '4.36.1.0'. CorrelationId(06a96b08-14d3-4957-b0c5-09a189a1dec9)
3/21/2022 4:38:57 PM False MSAL 4.36.1.0 MSAL.NetCore .NET Core 3.1.0 Microsoft Windows 10.0.22000 [03/21 23:38:55.77 - 06a96b08-14d3-4957-b0c5-09a189a1dec9] === OnBehalfOfParameters ===
SendX5C: False
ForceRefresh: False

Reproduction Steps

Create a OBO credential object and try to request a token while using certificate:

var credential = new OnBehalfOfCredential(tenantId, clientId, clientCertificate, userAssertion, new OnBehalfOfCredentialOptions()
            {
                SendCertificateChain = true,
            });
var token = await credential.GetTokenAsync(requestContext, default);

Environment

No response

[jsquire]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[degant]

@christothes what version of Azure.Identity will the fix be available in?

[christothes]

@christothes what version of Azure.Identity will the fix be available in?

The next version releasing in a couple weeks.