[FEATURE REQ] Support zero-touch certificate rotation in ClientCertificateCredential

Library or service name. Azure.Identity

Is your feature request related to a problem? Please describe. In our service, certificates are retrieved from KeyVault. We use SNI authentication. Certificates can be rotated at any time while the service is running and we want zero-touch certificate rotation. i.e. you shouldn’t have to restart the app just because certificates have been rotated. Rather, the service should periodically go back to Key Vault and, if there’s a new version, the service should automatically pick it up and use it when OAuth tokens expire. We have a (self-imposed) 4 hour SLA for responding to certificate rotation events and renewing tokens.

To do this, we wrote custom code in a class derived from TokenCredential that implements both SNI and certificate refresh. To implement certificate refresh, we introduced a ICertificateProvider interface. This is similar to the internal ClientCertificateCredential.IX509Certificate2Provider interface, but it is used not only for constructing the ConfidentialClientApplication, but also inside AcquireTokenForClientAsync.

My proposal is:

1. Un-nest IX509Certificate2Provider and make it public:

namespace Azure.Identity
{
    public interface IX509Certificate2Provider
    {
        ValueTask<X509Certificate2> GetCertificateAsync(bool async, CancellationToken cancellationToken);
    }
}

1. Add a constructor overload on ClientCertificateCredential that accepts an IX509Certificate2Provider:

        public ClientCertificateCredential(string tenantId, string clientId, IX509Certificate2Provider certificateProvider, ClientCertificateCredentialOptions options);

1. Update MsalConfidentialClient to call GetCertificateAsync each time AcquireTokenForClientAsync is called and cache the resulting X509Certificate2 object. If the value changes (due to a certificate refresh), then the confidential client needs to be recreated or updated. This part is tricky, I realize – but that’s why I’d like the SDK to take care of it for us.

You do have to be clear about the semantics of IX509Certificate2Provider since certificates are IDisposable – does the caller take ownership of the returned certificate, for example?