docs: Guidance for higher-level SDKs to consume MSAL mTLS PoP#933
Open
gladjohn wants to merge 2 commits into
Open
docs: Guidance for higher-level SDKs to consume MSAL mTLS PoP#933gladjohn wants to merge 2 commits into
gladjohn wants to merge 2 commits into
Conversation
Explains how azure-identity and other SDKs can integrate with the MSI v2 mTLS Proof-of-Possession API. Covers: - Public API surface and return value contract - WindowsCertificate object (accurate property names) - Step-by-step integration pattern (credential -> transport) - SchannelSession usage (cert in constructor, not per-request) - No-fallback behavior matching MSAL .NET - End-user DX goal (zero mTLS awareness) - .NET comparison table - Minimum integration example - Future OpenSSL 3 CNG Provider path Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new documentation page intended to guide higher-level Azure SDKs in consuming MSAL Python’s Managed Identity v2 mTLS Proof-of-Possession (PoP) integration pattern (credential → transport) and related return-value/typing contracts.
Changes:
- Introduces a new guidance document describing an mTLS PoP consumption model for higher-level SDKs.
- Provides sample code for credential integration, auth header construction, and SChannel-based transport usage.
- Documents intended API contracts (parameters, return keys, and key object types) for the integration.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Add prerequisite note: APIs come from PR #931, not yet on dev - Note this is standalone docs (not Sphinx-rendered) - Fix rstrip('/.default') -> removesuffix('/.default') - Fix AccessToken usage: store token_type on credential (not AccessToken) - Fix auth policy: read token_type from credential, not token object Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a single documentation file explaining how higher-level SDKs (e.g., azure-identity, azure-sdk-for-python) can integrate with the MSI v2 mTLS Proof-of-Possession API.
This PR contains only documentation — no code changes.
Contents
WindowsCertificateobject properties and methods (accurate to implementation)SchannelSessionusage (certificate in constructor, not per-request)MtlsPopTokenNotSupportedinImdsV1)Related
GetManagedIdentityCapabilitiesAsync)