Fix for #4775 - deprecate WithClientAssertion(string)

src/client/Microsoft.Identity.Client/AppConfig/ConfidentialClientApplicationBuilder.cs

@@ -198,6 +198,8 @@ public ConfidentialClientApplicationBuilder WithClientSecret(string clientSecret
         /// </summary>
         /// <param name="signedClientAssertion">The client assertion used to prove the identity of the application to Azure AD. This is a Base-64 encoded JWT.</param>
         /// <returns></returns>
+        [System.ComponentModel.EditorBrowsable(System.ComponentModel.EditorBrowsableState.Never)]
+        [Obsolete("This method is not recommended. Use overload with Func<AssertionRequestOptions, Task<string>> instead, and return a non-expired assertion, which can be Federated Credential. See https://aka.ms/msal-net-client-assertion", false)]
         public ConfidentialClientApplicationBuilder WithClientAssertion(string signedClientAssertion)
         {
             if (string.IsNullOrWhiteSpace(signedClientAssertion))
@@ -216,7 +218,7 @@ public ConfidentialClientApplicationBuilder WithClientAssertion(string signedCli
         /// This is a delegate that computes a Base-64 encoded JWT for each authentication call.</param>
         /// <returns>The ConfidentialClientApplicationBuilder to chain more .With methods</returns>
         /// <remarks> Callers can use this mechanism to cache their assertions </remarks>
-        [System.ComponentModel.EditorBrowsable(System.ComponentModel.EditorBrowsableState.Never)]
+        [System.ComponentModel.EditorBrowsable(System.ComponentModel.EditorBrowsableState.Never)]        
         public ConfidentialClientApplicationBuilder WithClientAssertion(Func<string> clientAssertionDelegate)
         {
             if (clientAssertionDelegate == null)
@@ -240,7 +242,7 @@ public ConfidentialClientApplicationBuilder WithClientAssertion(Func<string> cli
         /// This is a delegate that computes a Base-64 encoded JWT for each authentication call.</param>
         /// <returns>The ConfidentialClientApplicationBuilder to chain more .With methods</returns>
         /// <remarks> Callers can use this mechanism to cache their assertions </remarks>
-        [System.ComponentModel.EditorBrowsable(System.ComponentModel.EditorBrowsableState.Never)]
+        [System.ComponentModel.EditorBrowsable(System.ComponentModel.EditorBrowsableState.Never)]        
         public ConfidentialClientApplicationBuilder WithClientAssertion(Func<CancellationToken, Task<string>> clientAssertionAsyncDelegate)
         {
             if (clientAssertionAsyncDelegate == null)
@@ -253,10 +255,11 @@ public ConfidentialClientApplicationBuilder WithClientAssertion(Func<Cancellatio
         }
 
         /// <summary>
-        /// Configures an async delegate that creates a client assertion. See https://aka.ms/msal-net-client-assertion
+        /// Configures an async delegate that creates a client assertion. The delegate is invoked only a token cannot be retrieved from the cache.
+        /// 
+        /// See https://aka.ms/msal-net-client-assertion
         /// </summary>
-        /// <param name="clientAssertionAsyncDelegate">An async delegate computing the client assertion used to prove the identity of the application to Azure AD.
-        /// This is a delegate that computes a Base-64 encoded JWT for each authentication call.</param>
+        /// <param name="clientAssertionAsyncDelegate">An async delegate that returns the client assertion. Assertion lifetime is the responsability of the caller.</param>
         /// <returns>The ConfidentialClientApplicationBuilder to chain more .With methods</returns>
         /// <remarks> Callers can use this mechanism to cache their assertions </remarks>
         public ConfidentialClientApplicationBuilder WithClientAssertion(Func<AssertionRequestOptions, Task<string>> clientAssertionAsyncDelegate)

tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ClientCredentialsTests.NetFwk.cs

@@ -318,26 +318,23 @@ private static IConfidentialClientApplication CreateApp(
                         settings.Authority + "/oauth2/token" :
                         settings.Authority + "/oauth2/v2.0/token";
 
-                    string signedAssertionManual = GetSignedClientAssertionManual(
+                    builder.WithClientAssertion(() => GetSignedClientAssertionManual(
                       settings.ClientId,
                       aud, // for AAD use v2.0, but not for ADFS
                       settings.GetCertificate(),
-                      useSha2AndPssForAssertion);
-
-                    builder.WithClientAssertion(signedAssertionManual);
+                      useSha2AndPssForAssertion));
                     break;
 
                 case CredentialType.ClientAssertion_Wilson:
                     var aud2 = settings.Cloud == Cloud.Adfs ?
                        settings.Authority + "/oauth2/token" :
                        settings.Authority + "/oauth2/v2.0/token";
 
-                    string clientAssertion = GetSignedClientAssertionUsingWilson(
-                        settings.ClientId,
-                        aud2,
-                        settings.GetCertificate());
-
-                    builder.WithClientAssertion(clientAssertion);
+                    builder.WithClientAssertion(
+                        () => GetSignedClientAssertionUsingWilson(
+                            settings.ClientId,
+                            aud2,
+                            settings.GetCertificate()));
                     break;
 
                 case CredentialType.ClientClaims_ExtraClaims:

tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ClientCredentialsTests.WithRegion.cs

@@ -127,7 +127,7 @@ private IConfidentialClientApplication BuildCCA(
             var builder = ConfidentialClientApplicationBuilder.Create(settings.ClientId);
             if (useClaims)
             {
-                builder.WithClientAssertion(GetSignedClientAssertionUsingMsalInternal(settings.ClientId, GetClaims(settings)));
+                builder.WithClientAssertion(() => GetSignedClientAssertionUsingMsalInternal(settings.ClientId, GetClaims(settings)));
             }
             else
             {

tests/Microsoft.Identity.Test.Unit/PublicApiTests/ConfidentialClientApplicationTests.cs

@@ -453,7 +453,9 @@ private enum CredentialType
                     Assert.AreEqual(cert, app.Certificate);
                     break;
                 case CredentialType.SignedAssertion:
+#pragma warning disable CS0618 // Type or member is soft obsolete
                     builder = builder.WithClientAssertion(TestConstants.DefaultClientAssertion);
+#pragma warning restore CS0618 // Type or member is soft obsolete
                     app = builder.BuildConcrete();
                     Assert.IsNull(app.Certificate);
                     break;

tests/Microsoft.Identity.Test.Unit/PublicApiTests/TelemetryClientTests.cs

@@ -550,7 +550,7 @@ private void CreateApplication(AssertionType assertionType = AssertionType.Secre
                 case AssertionType.ClientAssertion:
                     _cca = ConfidentialClientApplicationBuilder
                         .Create(TestConstants.ClientId)
-                        .WithClientAssertion(TestConstants.DefaultClientAssertion)
+                        .WithClientAssertion(() => TestConstants.DefaultClientAssertion)
                         .WithHttpManager(_harness.HttpManager)
                         .WithExperimentalFeatures()
                         .WithTelemetryClient(_telemetryClient)