MSI V2 client side keys

[gladjohn]

Fixes - adds the key management logic for MSI flows or aka CSK (Client side keys)

This will not be merged as is. Instead will go into the MSI v2 feature branch.

This pull request introduces a new abstraction for Managed Identity key management, allowing for improved flexibility and security in how authentication keys are created and sourced. The main changes include the addition of provider classes for key creation (with platform-specific logic for Windows), a new interface for key providers, and integration of this abstraction into the authentication request flow. The implementation prioritizes secure hardware-backed keys and falls back to in-memory keys as needed.

Managed Identity Key Provider Abstraction

• Introduced the IManagedIdentityKeyProvider interface (src/client/Microsoft.Identity.Client/ManagedIdentity/IManagedIdentityKeyProvider.cs) and the ManagedIdentityKeyInfo class to encapsulate key details and provider messages. [1] [2]

Platform-Specific Key Providers

• Added InMemoryManagedIdentityKeyProvider, which generates and caches an RSA key in memory for authentication scenarios.
• Added WindowsManagedIdentityKeyProvider, which attempts to source keys from KeyGuard (VBS isolation), hardware TPM/KSP, or falls back to in-memory keys, with detailed logging and error handling.
• Added supporting helpers for Windows key operations, including KeyGuard and hardware-backed key creation (WindowsCngKeyOperations, KeyGuardHelper). [1] [2]

Integration with Authentication Flow

• Updated ManagedIdentityAuthRequest to use the new key provider abstraction, retrieving the best available key for authentication. [1] [2]

Dependency Management

• Adjusted Directory.Packages.props to ensure System.Security.Cryptography.Cng is included as a private asset for key provider functionality. [1] [2]

[MZOLN]

General feedback