[FEATURE REQ] Support sendX5c in ClientCertificateCredential to allow SubjectName+issuer validation

[ohadschn]

Library or service name.
Azure.Identity

Is your feature request related to a problem? Please describe.
When requesting a token via AuthenticationContext.AcquireTokenAsync (in the Microsoft.IdentityModel.Clients.ActiveDirectory assembly), there are overloads that accept the sendX5c parameter:

This parameter enables application developers to achieve easy certificates roll-over in Azure AD: setting this parameter to true will send the public certificate to Azure AD along with the token request, so that Azure AD can use it to validate the subject name based on a trusted issuer policy. This saves the application admin from the need to explicitly manage the certificate rollover (either via portal or powershell/CLI operation)

This is critical for auto rotation scenarios, where you have your cert auto-renewed in KeyVault and you want your certs to maintain their access to their AAD apps following such renewals.

There is currently no way that I can tell so specify this parameter in Azure.Identity's ClientCertificateCredential, forcing users to drop to the lower AuthenticationContext level.

[schaabs]

@ohadschn Thanks for filling this issue. Adding support for SubjectName / Issuer authentication with the ClientCertificateCredential is currently on our backlog. While support for this did not make it into our current round of previews for the Azure.Identity library, I expect this will be one of the first features we work on after we GA what is currently in preview. I hope to have at least a preview of SubjectName / Issuer support ealry this fall. I'll update this issue once we have more information available.

[JackXuCN]

Use the solution here before Azure.Identity support SendX5c Link

[schaabs]

This has been implemented in #14636, and is available in 1.3.0-beta.1 or later. The feature is still in preview so if you have any feedback on its usability please open an issue and let us know.