Skip to content

Add mTLS Bearer token design specification#5848

Merged
gladjohn merged 1 commit intomainfrom
gladjohn-sni-mtls-bearer
Mar 31, 2026
Merged

Add mTLS Bearer token design specification#5848
gladjohn merged 1 commit intomainfrom
gladjohn-sni-mtls-bearer

Conversation

@gladjohn
Copy link
Copy Markdown
Contributor

@gladjohn gladjohn commented Mar 12, 2026

This PR adds app-level support for sending confidential client certificates over mTLS transport independently from token type.

Today, WithMtlsProofOfPossession() effectively drives both:

  • the token type (mTLS PoP)
  • the certificate transport path (mTLS)

That makes it hard to express the missing scenario:

  • mTLS transport + Bearer token

This change introduces a new certificate option:

new CertificateOptions
{
    SendCertificateOverMtls = true
}

This keeps token type and certificate transport as separate concerns:

  • SendCertificateOverMtls controls how the certificate is sent
  • WithMtlsProofOfPossession() continues to control whether the request asks for PoP

@gladjohn
Add mTLS Bearer token design specification
f7bc649 
This PR adds app-level support for sending confidential client certificates over **mTLS transport** independently from token type.

Today, `WithMtlsProofOfPossession()` effectively drives both:
- the **token type** (`mTLS PoP`)
- the **certificate transport path** (mTLS)

That makes it hard to express the missing scenario:
- **mTLS transport + Bearer token**

This change introduces a new certificate option:

```csharp
new CertificateOptions
{
    SendCertificateOverMtls = true
}
```
@gladjohn gladjohn requested a review from a team as a code owner March 12, 2026 14:52
Copilot AI reviewed Mar 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a design mini-spec documenting a proposed API/config change to decouple token type (Bearer vs mTLS PoP) from certificate transport (request-body assertion vs mTLS handshake) for confidential client certificates, enabling the “mTLS transport + Bearer token” scenario.

Changes:

  • Introduces a new proposed CertificateOptions.SendCertificateOverMtls flag (design-level) and defines its intended semantics.
  • Documents precedence rules between app-level defaults and request-level .WithMtlsProofOfPossession().
  • Adds a behavior matrix plus validation/implementation/testing notes for the new scenario.

You can also share your feedback on Copilot code review. Take the survey.

neha-bhargava
neha-bhargava reviewed Mar 20, 2026
View reviewed changes
neha-bhargava
neha-bhargava approved these changes Mar 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@neha-bhargava neha-bhargava left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@gladjohn gladjohn merged commit 9e18cb3 into main Mar 31, 2026
16 checks passed
@gladjohn gladjohn deleted the gladjohn-sni-mtls-bearer branch March 31, 2026 21:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bgavrilMS bgavrilMS bgavrilMS approved these changes

@neha-bhargava neha-bhargava neha-bhargava approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gladjohn @bgavrilMS @neha-bhargava