Adds MSI v2 (mTLS PoP) support: mtls_proof_of_possession and with_attestation_support APIs

[Copilot]

Fixes #883

Description

Adds opt-in MSI v2 (mTLS Proof-of-Possession) support to ManagedIdentityClient, enabling certificate-bound mtls_pop tokens via Windows KeyGuard + attestation. MSI v2 activates only when both new per-call flags are True; all other paths are unchanged.

API surface

result = client.acquire_token_for_client(
    resource="https://mtlstb.graph.microsoft.com",
    mtls_proof_of_possession=True,   # triggers /issuecredential + mTLS PoP flow
    with_attestation_support=True,   # KeyGuard attestation via AttestationClientLib.dll
)
# result["token_type"] == "mtls_pop"

screenshot (two calls to IDP, MAA called only once)

• mtls_proof_of_possession=True alone → falls through to MSI v1 (no-op)
• with_attestation_support=True without PoP → raises ManagedIdentityError immediately
• MSI v2 failure raises MsiV2Error — no silent fallback to v1

New modules

• msal/msi_v2.py — End-to-end Windows flow: NCrypt KeyGuard RSA key → PKCS#10 CSR (RSA-PSS/SHA-256, cuId OID attribute) → IMDS /getplatformmetadata + /issuecredential → Crypt32 cert binding → WinHTTP/SChannel mTLS token request. Pure ctypes; no pythonnet.
• msal/msi_v2_attestation.py — P/Invoke bindings to AttestationClientLib.dll for KeyGuard key attestation.

Changes to existing modules

• msal/managed_identity.py — MsiV2Error(ManagedIdentityError) added; acquire_token_for_client() gains two new keyword-only bool params with full docstrings.
• msal/__init__.py — Exports MsiV2Error.

Samples & tests

• sample/msi_v2_sample.py — Full E2E sample (strict mtls_pop mode, optional endpoint call, env-var config).
• run_msi_v2_once.py + msi-v2-sample.spec — Minimal one-shot sample and PyInstaller build spec.
• tests/test_msi_v2.py — Unit tests covering thumbprint helpers, verify_cnf_binding, and gating behavior (all mocked; no IMDS/KeyGuard dependency).

Original prompt

Create Single-Commit MSI v2 (mTLS PoP) Support PR

Create a new pull request that consolidates all changes from PR #877 into a single commit. The PR should:

• Branch: Create from dev and name it gladjohn/msi-v2-poc
• Files to include (8 files total, 2,421 lines added):

1. msal/init.py - Export MsiV2Error

   • Add MsiV2Error to the imports from managed_identity module

2. msal/managed_identity.py - Core MSI v2 integration (46 additions, 1 deletion)

   • Add MsiV2Error exception class
   • Add mtls_proof_of_possession and with_attestation_support parameters to acquire_token_for_client()
   • Add MSI v2 opt-in logic: use MSI v2 only when BOTH flags are True
   • Add validation that with_attestation_support requires mtls_proof_of_possession
   • Call msal.msi_v2.obtain_token() when both flags are True

3. msal/msi_v2.py - Complete MSI v2 implementation (1,595 additions - new file)

   • Windows KeyGuard + Attestation + SChannel mTLS PoP flow
   • IMDS helpers and constants
   • Win32 API bindings via ctypes (NCrypt, Crypt32, WinHTTP)
   • DER encoding helpers for PKCS#10 CSR
   • CNG/NCrypt key generation and signing
   • Certificate binding to CNG key
   • WinHTTP mTLS token endpoint communication
   • Public obtain_token() function

4. msal/msi_v2_attestation.py - Windows attestation support (182 additions - new file)

   • P/Invoke bindings to AttestationClientLib.dll
   • get_attestation_jwt() function for KeyGuard attestation

5. msi-v2-sample.spec - PyInstaller configuration (45 additions - new file)

   • Build spec for standalone MSI v2 sample executable

6. run_msi_v2_once.py - Minimal sample (56 additions - new file)

   • Simple one-shot MSI v2 token acquisition example
   • Strict mode: only succeeds with mtls_pop token type

7. sample/msi_v2_sample.py - Full sample (175 additions - new file)

   • Comprehensive MSI v2 example with logging, environment variable support
   • Optional resource endpoint call
   • Designed for Windows Azure VM with Credential Guard

8. tests/test_msi_v2.py - Unit tests (321 additions - new file)

   • Certificate thumbprint helper tests
   • CNF binding verification tests
   • ManagedIdentityClient gating behavior tests
   • MSI v2 strict error handling tests

Title: [POC] Adds MSI v2 (mTLS PoP) support: mtls_proof_of_possession and with_attestation_support APIs

Description:
Consolidates MSI v2 (mTLS Proof-of-Possession) support with Windows KeyGuard attestation into a single commit. This implementation:

• Adds opt-in MSI v2 API via mtls_proof_of_possession and with_attestation_support flags
• Windows-only: uses ctypes to call NCrypt (CNG key creation), Crypt32 (certificate binding), and WinHTTP (mTLS)
• No MSI v1 fallback when MSI v2 is explicitly requested
• Includes comprehensive samples and unit tests
• Security-focused: non-exportable VBS/KeyGuard isolated RSA keys, strict certificate binding

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.