Add WithReservedScopes and WithCachePartitionKey public APIs#6014
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds two new public builder APIs on BaseAbstractAcquireTokenParameterBuilder<T> to (1) optionally prevent MSAL from auto-injecting reserved OIDC scopes and (2) allow callers to add a purely client-side access-token cache partition discriminator (not sent to the token endpoint). This extends existing internal patterns (overridden scopes + additional cache key components) to enable transfer-token scenarios and cache isolation.
Changes:
- Introduces
WithExactScopes(bool exactScopes = true)to bypass reserved-scope injection for/tokenrequests. - Introduces
WithCachePartitionKey(string key, string value)to add a cache-key-only discriminator viaCacheKeyComponents. - Threads
ExactScopesthrough request parameters and adds unit tests for both APIs; updates PublicAPI analyzer baselines across TFMs.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/Microsoft.Identity.Test.Unit/PublicApiTests/WithExactScopesTests.cs | Adds unit tests validating reserved-scope injection is suppressed/preserved depending on WithExactScopes. |
| tests/Microsoft.Identity.Test.Unit/PublicApiTests/WithCachePartitionKeyTests.cs | Adds unit tests validating cache key components are populated and not sent to the token endpoint. |
| src/client/Microsoft.Identity.Client/PublicApi/netstandard2.0/PublicAPI.Unshipped.txt | Declares the new public APIs for netstandard2.0. |
| src/client/Microsoft.Identity.Client/PublicApi/net8.0/PublicAPI.Unshipped.txt | Declares the new public APIs for net8.0. |
| src/client/Microsoft.Identity.Client/PublicApi/net8.0-ios/PublicAPI.Unshipped.txt | Declares the new public APIs for net8.0-ios. |
| src/client/Microsoft.Identity.Client/PublicApi/net8.0-android/PublicAPI.Unshipped.txt | Declares the new public APIs for net8.0-android. |
| src/client/Microsoft.Identity.Client/PublicApi/net472/PublicAPI.Unshipped.txt | Declares the new public APIs for net472. |
| src/client/Microsoft.Identity.Client/PublicApi/net462/PublicAPI.Unshipped.txt | Declares the new public APIs for net462. |
| src/client/Microsoft.Identity.Client/Internal/Requests/RequestBase.cs | Uses ExactScopes to override default scope handling for token requests. |
| src/client/Microsoft.Identity.Client/Internal/Requests/AuthenticationRequestParameters.cs | Threads ExactScopes from common parameters into request parameters. |
| src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenCommonParameters.cs | Adds ExactScopes flag to common parameters. |
| src/client/Microsoft.Identity.Client/ApiConfig/BaseAbstractAcquireTokenParameterBuilder.cs | Adds WithExactScopes and WithCachePartitionKey public APIs and plumbs them into common parameters. |
bgavrilMS
reviewed
May 18, 2026
bgavrilMS
reviewed
May 18, 2026
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
iNinja
force-pushed
the
iinglese/cache-partition-key
branch
from
54fc586 to
a59d7fd
Compare
4gust
approved these changes
May 18, 2026
bgavrilMS
reviewed
May 18, 2026
bgavrilMS
approved these changes
May 18, 2026
Address review feedback: scope override logic now lives in ConfidentialAuthCodeRequest.GetOverriddenScopes() rather than RequestBase, ensuring it only affects auth code redemption flows. Other flows (client credentials, OBO, interactive, etc.) are unaffected. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…e build Move scope removal from ConfidentialAuthCodeRequest.GetOverriddenScopes override to TokenClient.SendTokenRequestAsync. The regular scope building runs as normal (GetDefaultScopes adds all reserved scopes), then offline_access is stripped from the result. No override, no scope construction, no changes to existing method signatures. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Use ArgumentNullException for null, ArgumentException for empty string per .NET guidelines. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
iNinja
changed the title
WithReservedScopes now targets AcquireTokenByAuthorizationCodeParameterBuilder instead of BaseAbstractAcquireTokenParameterBuilder. This prevents it from appearing on flows where suppressing offline_access would be incorrect (client credentials, silent, OBO, interactive). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add WithInstanceDiscovery(false) to all test builders to prevent shared instance discovery cache from affecting mock handler ordering. Use AcquireTokenByAuthorizationCode consistently in partition key tests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bgavrilMS
approved these changes
May 19, 2026
Robbie-Microsoft
added a commit
that referenced
this pull request
May 22, 2026
These APIs were added in PR #6014 (022dcde) but were accidentally absent from this branch due to shallow clone grafting. Restoring to fix CI build failures in WithReservedScopesTests.cs and WithCachePartitionKeyTests.cs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Robbie-Microsoft
added a commit
that referenced
this pull request
May 22, 2026
…om PR #6014 Restores AcquireTokenCommonParameters.SendOfflineAccessScope and all 6 PublicAPI.Unshipped.txt entries for WithCachePartitionKey and WithReservedScopes that were lost due to a prior merge conflict resolution. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Robbie-Microsoft
added a commit
that referenced
this pull request
May 22, 2026
…RequestParameters Restores the offline_access scope filtering logic in TokenClient.SendTokenRequestAsync and the SendOfflineAccessScope property on AuthenticationRequestParameters, both originally added in PR #6014 but lost in a prior merge conflict resolution. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two new public APIs for transfer token scenarios and cache isolation:
WithReservedScopes(bool offlineAccessScope)
Extension method on
AcquireTokenByAuthorizationCodeParameterBuilder. WhenofflineAccessScopeis set tofalse, MSAL omitsoffline_accessfrom the token request while continuing to sendopenidandprofile. The removal happens inTokenClientafter the regular scope building, without affecting scope construction.Only available on auth code redemption flows. Unreachable by client credentials, silent, OBO, or interactive flows.
WithCachePartitionKey(string key, string value)
Extension method on
BaseAbstractAcquireTokenParameterBuilder<T>in the Extensibility namespace. Adds a client-side discriminator to the AT cache key without sending anything to the token endpoint. Enables parallel token sessions for the same user without cache interference.Validates inputs:
ArgumentNullExceptionfor null,ArgumentExceptionfor empty key.Motivation
These APIs support the transfer token flow for 1P mobile app-to-browser scenarios (PBI 3562385). A web service redeems a short-lived MSA transfer token alongside an existing long-lived OIDC session for the same user. Without these APIs:
offline_access, causing MSA to return an unwanted refresh tokenBuilds on PR #5993
The symmetric AT filter and partition-aware write-side eviction merged in PR #5993. This PR adds the two public APIs on top.
Changes
Extensibility/AcquireTokenParameterBuilderExtensions.csWithReservedScopes+WithCachePartitionKeyextension methodsAcquireTokenCommonParameters.csSendOfflineAccessScopeflagAuthenticationRequestParameters.csSendOfflineAccessScopeTokenClient.csoffline_accessafter default scope buildPublicAPI.Unshipped.txt(x6 TFMs)WithReservedScopesTests.csWithCachePartitionKeyTests.csTesting
offline_accessconfirmed: no RT returned)