Add OID-based user identification to UserFIC (user_fic) flow#6050
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds Object ID (OID) support to the User Federated Identity Credential (user_fic) flow by introducing a Guid userObjectId overload, enabling unambiguous user identification (UPN vs OID) and ensuring the token request body/CCS routing hint use user_id when OID is supplied.
Changes:
- Added a
Guid userObjectIdoverload toAcquireTokenByUserFederatedIdentityCredentialand surfaced it viaConfidentialClientApplication. - Updated request construction to send
user_id(OID) vsusername(UPN) in a mutually exclusive way, including CCS routing behavior. - Added unit tests for request-body mutual exclusion, argument validation, and multi-user cache behavior.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/Microsoft.Identity.Test.Unit/RequestsTests/UserFederatedIdentityCredentialTests.cs | Adds tests validating OID vs UPN request-body parameters and multi-user cache behavior. |
| src/client/Microsoft.Identity.Client/PublicApi/netstandard2.0/PublicAPI.Unshipped.txt | Declares the new public API signature for the OID overload. |
| src/client/Microsoft.Identity.Client/PublicApi/net8.0/PublicAPI.Unshipped.txt | Declares the new public API signature for the OID overload. |
| src/client/Microsoft.Identity.Client/PublicApi/net8.0-ios/PublicAPI.Unshipped.txt | Declares the new public API signature for the OID overload. |
| src/client/Microsoft.Identity.Client/PublicApi/net8.0-android/PublicAPI.Unshipped.txt | Declares the new public API signature for the OID overload. |
| src/client/Microsoft.Identity.Client/PublicApi/net472/PublicAPI.Unshipped.txt | Declares the new public API signature for the OID overload. |
| src/client/Microsoft.Identity.Client/PublicApi/net462/PublicAPI.Unshipped.txt | Declares the new public API signature for the OID overload. |
| src/client/Microsoft.Identity.Client/OAuth2/OAuthConstants.cs | Adds OAuth2Parameter.UserId constant (user_id) for user_fic requests. |
| src/client/Microsoft.Identity.Client/Internal/Requests/UserFederatedIdentityCredentialRequest.cs | Switches request body + CCS routing between user_id (OID) and username (UPN). |
| src/client/Microsoft.Identity.Client/IByUserFederatedIdentityCredential.cs | Adds the new Guid userObjectId overload with XML documentation. |
| src/client/Microsoft.Identity.Client/ConfidentialClientApplication.cs | Implements the new overload (explicit interface) and routes to the builder factory. |
| src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenByUserFederatedIdentityCredentialParameters.cs | Adds UserObjectId parameter storage and improves parameter logging. |
| src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenByUserFederatedIdentityCredentialParameterBuilder.cs | Adds builder constructor/factory for OID, including Guid.Empty validation. |
bgavrilMS
approved these changes
Jun 4, 2026
gladjohn
approved these changes
Jun 4, 2026
# Conflicts: # src/client/Microsoft.Identity.Client/PublicApi/net462/PublicAPI.Unshipped.txt # src/client/Microsoft.Identity.Client/PublicApi/net472/PublicAPI.Unshipped.txt # src/client/Microsoft.Identity.Client/PublicApi/net8.0-android/PublicAPI.Unshipped.txt # src/client/Microsoft.Identity.Client/PublicApi/net8.0-ios/PublicAPI.Unshipped.txt # src/client/Microsoft.Identity.Client/PublicApi/net8.0/PublicAPI.Unshipped.txt # src/client/Microsoft.Identity.Client/PublicApi/netstandard2.0/PublicAPI.Unshipped.txt
neha-bhargava
approved these changes
Jun 4, 2026
neha-bhargava
left a comment
neha-bhargava
left a comment
Contributor
There was a problem hiding this comment.
Approve with comments
neha-bhargava
approved these changes
Jun 4, 2026
Copilot stopped reviewing on behalf of
Avery-Dunn due to an error
June 4, 2026 19:08
This was referenced Jun 5, 2026
Open
This was referenced Jun 8, 2026
Open
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a
Guid userObjectIdoverload toAcquireTokenByUserFederatedIdentityCredential, enabling callers to identify users by Object ID (OID) in theuser_ficgrant type. Previously, only UPN-based identification (usernameparameter) was supported.This brings MSAL .NET into parity with MSAL Java, Python, Go, and ID Web, which already support both UPN and OID for UserFIC scenarios.
Why a
Guidoverload?The
user_ficgrant type identifies the target user via one of two mutually exclusive body parameters:usernamealice@contoso.comuser_id11111111-2222-3333-4444-555555555555A single method with a
stringparameter cannot disambiguate whether a given string is a UPN or an OID: both are valid strings, and while they often look very different there's no reliable way to guarantee that a string of characters isn't actually a username.Using
Guidfor the OID overload resolves this problem:stringvsGuidoverloads without ambiguityChanges
Production code
IByUserFederatedIdentityCredential.csGuid userObjectIdoverload with XML docsAcquireTokenByUserFederatedIdentityCredentialParameters.csGuid? UserObjectIdproperty, improvedLogParameters()AcquireTokenByUserFederatedIdentityCredentialParameterBuilder.csGuidconstructor +Createfactory (rejectsGuid.Empty)UserFederatedIdentityCredentialRequest.csuser_idvsusername), CCS routing by OIDOAuthConstants.csUserId = "user_id"constantConfidentialClientApplication.csPublicAPI.Unshipped.txt(×6 TFMs)Request body behavior
When
UserObjectIdis set, the request sendsuser_id=<guid>and omitsusername. WhenUsernameis set, it sendsusername=<upn>and omitsuser_id. This mutual exclusion is enforced structurally — the two code paths use separate constructors, so both values cannot be populated simultaneously through the public API.CCS routing follows the same pattern: OID requests use
oid:<oid>@<tenantId>, UPN requests use the existingupn:<upn>header.Tests (6 new, 13 total)
AcquireTokenByUserFic_WithOid_SendsUserIdParameter_Asyncuser_idin POST body,usernameabsentAcquireTokenByUserFic_WithUpn_SendsUsernameParameter_Asyncusernamein POST body,user_idabsentAcquireTokenByUserFic_EmptyGuid_ThrowsArgumentExceptionGuid.Emptyrejected at builder creationAcquireTokenByUserFic_NullOidAssertion_ThrowsArgumentNullExceptionAcquireTokenByUserFic_EmptyOidAssertion_ThrowsArgumentNullExceptionAcquireTokenByUserFic_TwoUpns_SilentReturnsCorrectToken_AsyncAcquireTokenByUserFic_TwoOids_SilentReturnsCorrectToken_AsyncHomeAccountId.ObjectId)