Skip to content

Add support for calling WithClientClaims flow for token acquisition #3623

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
trwalke merged 15 commits into from
Feb 4, 2026
+411 −4
Merged

Add support for calling WithClientClaims flow for token acquisition #3623

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
52a4b31
Add support for calling WithClientClaims flow for token acquisition
Nov 24, 2025
aaac166
Updating client claims to use abstractions instead
Dec 8, 2025
eece814
Revert "Updating client claims to use abstractions instead"
Jan 20, 2026
cc8a868
Adding WithExtraClientAssertionClaims
Jan 21, 2026
401bdd3
Update MSAL to 4.82
Feb 3, 2026
ce7772f
Revert "Update MSAL to 4.82"
Feb 3, 2026
f1b1c68
Updating tests and fixing errors
Feb 4, 2026
e50a26a
Merge branch 'master' into marcinzo/idweb_custom_claims
trwalke Feb 4, 2026
031f73b
Fixing build
Feb 4, 2026
89b5ffe
Merge branch 'marcinzo/idweb_custom_claims' of https://github.com/Azu…
Feb 4, 2026
ae9841f
Fix build
Feb 4, 2026
1283dee
Refactoring to use string
Feb 4, 2026
f429c8f
Fixing null ref
Feb 4, 2026
876c14d
Updated claims key
Feb 4, 2026
fd44486
Merge branch 'master' into marcinzo/idweb_custom_claims
trwalke Feb 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Directory.Build.props
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@

<PropertyGroup Label="Common dependency versions">
<MicrosoftIdentityModelVersion Condition="'$(MicrosoftIdentityModelVersion)' == ''">8.15.0</MicrosoftIdentityModelVersion>
<MicrosoftIdentityClientVersion Condition="'$(MicrosoftIdentityClientVersion)' == ''">4.81.0</MicrosoftIdentityClientVersion>
<MicrosoftIdentityClientVersion Condition="'$(MicrosoftIdentityClientVersion)' == ''">4.82.0</MicrosoftIdentityClientVersion>
<MicrosoftIdentityAbstractionsVersion Condition="'$(MicrosoftIdentityAbstractionsVersion)' == ''">10.0.0</MicrosoftIdentityAbstractionsVersion>
<FxCopAnalyzersVersion>3.3.0</FxCopAnalyzersVersion>
<SystemTextEncodingsWebVersion>4.7.2</SystemTextEncodingsWebVersion>
Expand Down
55 changes: 52 additions & 3 deletions src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
using System.Net.Http;
using System.Security.Claims;
using System.Security.Cryptography.X509Certificates;
using System.Text.Json;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.Extensions.DependencyInjection;
Expand Down Expand Up @@ -212,16 +213,16 @@ public async Task<AcquireTokenResult> AddAccountToCacheFromAuthorizationCodeAsyn
}
}


/// <summary>
/// Allows creation of confidential client applications targeting regional and global authorities
/// when supporting managed identities.
/// </summary>
/// <param name="mergedOptions">Merged configuration options</param>
/// <param name="mergedOptions">Merged configuration options.</param>
/// <returns>Concatenated string of authority, cliend id and azure region</returns>
private static string GetApplicationKey(MergedOptions mergedOptions)
{
string credentialId = string.Join("-", mergedOptions.ClientCredentials?.Select(c => c.Id) ?? Enumerable.Empty<string>());

return DefaultTokenAcquirerFactoryImplementation.GetKey(mergedOptions.Authority, mergedOptions.ClientId, mergedOptions.AzureRegion) + credentialId;
}

Expand Down Expand Up @@ -260,7 +261,6 @@ public async Task<AuthenticationResult> GetAuthenticationResultForUserAsync(
_ = Throws.IfNull(scopes);

MergedOptions mergedOptions = GetMergedOptions(authenticationScheme, tokenAcquisitionOptions);

user ??= await _tokenAcquisitionHost.GetAuthenticatedUserAsync(user).ConfigureAwait(false);

var application = await GetOrBuildConfidentialClientApplicationAsync(mergedOptions, isTokenBinding: false);
Expand Down Expand Up @@ -437,7 +437,9 @@ public async Task<AuthenticationResult> GetAuthenticationResultForUserAsync(
var dict = MergeExtraQueryParameters(mergedOptions, tokenAcquisitionOptions);
if (dict != null)
{
#pragma warning disable CS0618 // Type or member is obsolete
builder.WithExtraQueryParameters(dict);
#pragma warning restore CS0618 // Type or member is obsolete
}

if (tokenAcquisitionOptions.ExtraHeadersParameters != null)
Expand All @@ -449,6 +451,11 @@ public async Task<AuthenticationResult> GetAuthenticationResultForUserAsync(
builder.WithCorrelationId(tokenAcquisitionOptions.CorrelationId.Value);
}
builder.WithClaims(tokenAcquisitionOptions.Claims);
var clientClaims = GetClientClaimsIfExist(tokenAcquisitionOptions);
if (clientClaims != null)
{
builder.WithExtraClientAssertionClaims(clientClaims);
}
if (tokenAcquisitionOptions.PoPConfiguration != null)
{
builder.WithSignedHttpRequestProofOfPossession(tokenAcquisitionOptions.PoPConfiguration);
Expand Down Expand Up @@ -568,6 +575,13 @@ public async Task<AuthenticationResult> GetAuthenticationResultForAppAsync(
miBuilder.WithClaims(tokenAcquisitionOptions.Claims);
}

//TODO: Should client assertion claims be supported for managed identity?
//var clientClaims = GetClientClaimsIfExist(tokenAcquisitionOptions);
//if (clientClaims != null)
//{
// miBuilder.WithExtraClientAssertionClaims(clientClaims);
//}

return await miBuilder.ExecuteAsync().ConfigureAwait(false);
}
catch (Exception ex)
Expand Down Expand Up @@ -632,7 +646,9 @@ public async Task<AuthenticationResult> GetAuthenticationResultForAppAsync(

if (dict != null)
{
#pragma warning disable CS0618 // Type or member is obsolete
builder.WithExtraQueryParameters(dict);
#pragma warning restore CS0618 // Type or member is obsolete
}
if (tokenAcquisitionOptions.ExtraHeadersParameters != null)
{
Expand All @@ -649,6 +665,13 @@ public async Task<AuthenticationResult> GetAuthenticationResultForAppAsync(
}
builder.WithForceRefresh(tokenAcquisitionOptions.ForceRefresh);
builder.WithClaims(tokenAcquisitionOptions.Claims);

var clientClaims = GetClientClaimsIfExist(tokenAcquisitionOptions);
if (clientClaims != null)
{
builder.WithExtraClientAssertionClaims(clientClaims);
}

if (!string.IsNullOrEmpty(tokenAcquisitionOptions.FmiPath))
{
builder.WithFmiPath(tokenAcquisitionOptions.FmiPath);
Expand Down Expand Up @@ -930,7 +953,18 @@ private bool IsInvalidClientCertificateOrSignedAssertionError(MsalServiceExcepti
#endif
}

private static string? GetClientClaimsIfExist(TokenAcquisitionOptions? tokenAcquisitionOptions)
{
string? clientClaims = null;
if (tokenAcquisitionOptions is not null && tokenAcquisitionOptions.ExtraParameters is not null &&
tokenAcquisitionOptions.ExtraParameters.ContainsKey("IDWEB_CLIENT_ASSERTION_CLAIMS"))
{
clientClaims = tokenAcquisitionOptions.ExtraParameters["IDWEB_CLIENT_ASSERTION_CLAIMS"] as string;
}
return clientClaims;
}

#pragma warning disable RS0051 // Add internal types and members to the declared API
internal /* for testing */ async Task<IConfidentialClientApplication> GetOrBuildConfidentialClientApplicationAsync(
MergedOptions mergedOptions,
bool isTokenBinding)
Expand Down Expand Up @@ -1254,7 +1288,10 @@ private void NotifyCertificateSelection(
dict.Remove(assertionConstant);
dict.Remove(subAssertionConstant);
}

#pragma warning disable CS0618 // Type or member is obsolete
builder.WithExtraQueryParameters(dict);
#pragma warning restore CS0618 // Type or member is obsolete
}
if (tokenAcquisitionOptions.ExtraHeadersParameters != null)
{
Expand All @@ -1266,6 +1303,11 @@ private void NotifyCertificateSelection(
}
builder.WithForceRefresh(tokenAcquisitionOptions.ForceRefresh);
builder.WithClaims(tokenAcquisitionOptions.Claims);
var clientClaims = GetClientClaimsIfExist(tokenAcquisitionOptions);
if (clientClaims != null)
{
builder.WithExtraClientAssertionClaims(clientClaims);
}
if (tokenAcquisitionOptions.PoPConfiguration != null)
{
builder.WithSignedHttpRequestProofOfPossession(tokenAcquisitionOptions.PoPConfiguration);
Expand Down Expand Up @@ -1411,7 +1453,9 @@ private Task<AuthenticationResult> GetAuthenticationResultForWebAppWithAccountFr

if (dict != null)
{
#pragma warning disable CS0618 // Type or member is obsolete
builder.WithExtraQueryParameters(dict);
#pragma warning restore CS0618 // Type or member is obsolete
}
if (tokenAcquisitionOptions.ExtraHeadersParameters != null)
{
Expand All @@ -1423,6 +1467,11 @@ private Task<AuthenticationResult> GetAuthenticationResultForWebAppWithAccountFr
}
builder.WithForceRefresh(tokenAcquisitionOptions.ForceRefresh);
builder.WithClaims(tokenAcquisitionOptions.Claims);
var clientClaims = GetClientClaimsIfExist(tokenAcquisitionOptions);
if (clientClaims != null)
{
builder.WithExtraClientAssertionClaims(clientClaims);
}
if (tokenAcquisitionOptions.PoPConfiguration != null)
{
builder.WithProofOfPossession(tokenAcquisitionOptions.PoPConfiguration);
Expand Down
Loading
Loading