From 1b7967579aa88fa4fbf4a2016b2a969d55af715c Mon Sep 17 00:00:00 2001
From: trwalke <trwalke@microsoft.com>
Date: Wed, 11 Feb 2026 15:49:00 -0800
Subject: [PATCH 1/4] Fixing event

---
 .../TokenAcquisition.cs                                      | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs b/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
index 68ca848ac..ee4ceeb05 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
@@ -1228,13 +1228,11 @@ private void NotifyCertificateSelection(
                 string? tokenUsedToCallTheWebApi = GetActualToken(validatedToken);
 
                 AcquireTokenOnBehalfOfParameterBuilder? builder = null;
-                TokenAcquisitionExtensionOptions? addInOptions = null;
+                TokenAcquisitionExtensionOptions? addInOptions = tokenAcquisitionExtensionOptionsMonitor?.CurrentValue;
 
                 // Case of web APIs: we need to do an on-behalf-of flow, with the token used to call the API
                 if (tokenUsedToCallTheWebApi != null)
                 {
-                    addInOptions = tokenAcquisitionExtensionOptionsMonitor?.CurrentValue;
-
                     if (string.IsNullOrEmpty(tokenAcquisitionOptions?.LongRunningWebApiSessionKey))
                     {
                         builder = application
@@ -1273,6 +1271,7 @@ private void NotifyCertificateSelection(
 
                     ClaimsPrincipal? userForCcsRouting = _tokenAcquisitionHost.GetUserFromRequest();
                     var userTenant = string.Empty;
+
                     if (userForCcsRouting != null)
                     {
                         userTenant = userForCcsRouting.GetTenantId();

From 1f676296f976f988e8060b11b0188a175f4e9ed3 Mon Sep 17 00:00:00 2001
From: trwalke <trwalke@microsoft.com>
Date: Wed, 11 Feb 2026 15:51:23 -0800
Subject: [PATCH 2/4] Update

---
 src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs b/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
index ee4ceeb05..f1c869a4a 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
@@ -1271,7 +1271,6 @@ private void NotifyCertificateSelection(
 
                     ClaimsPrincipal? userForCcsRouting = _tokenAcquisitionHost.GetUserFromRequest();
                     var userTenant = string.Empty;
-
                     if (userForCcsRouting != null)
                     {
                         userTenant = userForCcsRouting.GetTenantId();

From a8fe105bd004b581d62b170f509f87fdc09f7686 Mon Sep 17 00:00:00 2001
From: trwalke <trwalke@microsoft.com>
Date: Wed, 11 Feb 2026 22:15:38 -0800
Subject: [PATCH 3/4] Updating test

---
 Directory.Build.props                             |  4 ++--
 .../AuthorizationHeaderProviderTests.cs           | 15 ++++++++++-----
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index d2bf7947e..3c1ef88db 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -4,13 +4,13 @@
     <!-- This needs to be greater than or equal to the validation baseline version. The conditional logic around TargetNetNext is there
     to avoid NU5104 for packing a release version library with prerelease deps. By adding preview to it, that warning is avoided.
     -->
-    <MicrosoftIdentityWebVersion Condition="'$(MicrosoftIdentityWebVersion)' == ''">4.3.1</MicrosoftIdentityWebVersion>
+    <MicrosoftIdentityWebVersion Condition="'$(MicrosoftIdentityWebVersion)' == ''">4.3.1-preview</MicrosoftIdentityWebVersion>
     <!--This will generate AssemblyVersion, AssemblyFileVersion and AssemblyInformationVersion-->
     <Version>$(MicrosoftIdentityWebVersion)</Version>
 
     <EnablePackageValidation>true</EnablePackageValidation>
     <PackageValidationBaselineVersion>4.2.0</PackageValidationBaselineVersion>
-
+    <GeneratePackageOnBuild>True</GeneratePackageOnBuild>
     <BuildDirectory>$(MSBuildThisFileDirectory)/build</BuildDirectory>
     <AssemblyOriginatorKeyFile>$(BuildDirectory)/35MSSharedLib1024.snk</AssemblyOriginatorKeyFile>
     <RepositoryType>git</RepositoryType>
diff --git a/tests/Microsoft.Identity.Web.Test/AuthorizationHeaderProviderTests.cs b/tests/Microsoft.Identity.Web.Test/AuthorizationHeaderProviderTests.cs
index 940bf6b54..142679f8d 100644
--- a/tests/Microsoft.Identity.Web.Test/AuthorizationHeaderProviderTests.cs
+++ b/tests/Microsoft.Identity.Web.Test/AuthorizationHeaderProviderTests.cs
@@ -37,6 +37,7 @@ public async Task LongRunningSessionForDefaultAuthProviderForUserDefaultKeyTest(
             var claimsPrincipal = new ClaimsPrincipal(identity);
 
             var tokenAcquirerFactory = InitTokenAcquirerFactoryForTest();
+            bool argsNotNull = true;
 
             // Configure the extension option such that the event is subscribed to
             // so the test can observe if the service provider is set in the extra parameters
@@ -44,9 +45,12 @@ public async Task LongRunningSessionForDefaultAuthProviderForUserDefaultKeyTest(
             {
                 options.OnBeforeTokenAcquisitionForOnBehalfOf += (builder, options, args) =>
                 {
-                    //verify that the ClaimsPrincipal passed in the event is the same as the one passed to CreateAuthorizationHeaderForUserAsync and that the BootstrapContext is preserved
-                    Assert.Equal(((CaseSensitiveClaimsIdentity)claimsPrincipal.Identity!).BootstrapContext, ((CaseSensitiveClaimsIdentity)args?.User?.Identity!).BootstrapContext);
-                    Assert.Equal(((CaseSensitiveClaimsIdentity)claimsPrincipal.Identity!).BootstrapContext, args.UserAssertionToken);
+                    if (argsNotNull)
+                    {
+                        //verify that the ClaimsPrincipal passed in the event is the same as the one passed to CreateAuthorizationHeaderForUserAsync and that the BootstrapContext is preserved
+                        Assert.Equal(((CaseSensitiveClaimsIdentity)claimsPrincipal.Identity!).BootstrapContext, ((CaseSensitiveClaimsIdentity)args?.User?.Identity!).BootstrapContext);
+                        Assert.Equal(((CaseSensitiveClaimsIdentity)claimsPrincipal.Identity!).BootstrapContext, args.UserAssertionToken);
+                    }
                 };
             });
             IServiceProvider serviceProvider = tokenAcquirerFactory.Build();
@@ -57,8 +61,6 @@ public async Task LongRunningSessionForDefaultAuthProviderForUserDefaultKeyTest(
 
             using (mockHttpClient)
             {
-
-
                 // Create options with LongRunningWebApiSessionKey
                 var options = new AuthorizationHeaderProviderOptions
                 {
@@ -85,6 +87,7 @@ public async Task LongRunningSessionForDefaultAuthProviderForUserDefaultKeyTest(
                 string key1 = options.AcquireTokenOptions.LongRunningWebApiSessionKey;
 
                 // Step 4: Second call without ClaimsPrincipal should return the token from cache
+                argsNotNull = false;
                 result = await authorizationHeaderProvider.CreateAuthorizationHeaderForUserAsync(
                                     scopes,
                                     options);
@@ -94,6 +97,7 @@ public async Task LongRunningSessionForDefaultAuthProviderForUserDefaultKeyTest(
                 Assert.Equal(key1, options.AcquireTokenOptions.LongRunningWebApiSessionKey);
 
                 // Step 5: First call with ClaimsPrincipal to initiate LR session for CreateAuthorizationHeaderAsync
+                argsNotNull = true;
                 scopes = new[] { "User.Write" };
                 mockHttpClient!.AddMockHandler(MockHttpCreator.CreateLrOboTokenHandler("User.Write"));
                 result = await authorizationHeaderProvider.CreateAuthorizationHeaderAsync(
@@ -105,6 +109,7 @@ public async Task LongRunningSessionForDefaultAuthProviderForUserDefaultKeyTest(
                 Assert.NotEqual(options.AcquireTokenOptions.LongRunningWebApiSessionKey, TokenAcquisitionOptions.LongRunningWebApiSessionKeyAuto);
                 key1 = options.AcquireTokenOptions.LongRunningWebApiSessionKey;
 
+                argsNotNull = false;
                 // Step 6: Second call without ClaimsPrincipal should return the token from cache for CreateAuthorizationHeaderAsync
                 result = await authorizationHeaderProvider.CreateAuthorizationHeaderAsync(
                                     scopes,

From f3357d0e82d6ca60a2273a99a4b6ed3951081760 Mon Sep 17 00:00:00 2001
From: trwalke <trwalke@microsoft.com>
Date: Wed, 11 Feb 2026 22:25:52 -0800
Subject: [PATCH 4/4] Update

---
 Directory.Build.props | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 3c1ef88db..c9e5ba9bb 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -4,13 +4,11 @@
     <!-- This needs to be greater than or equal to the validation baseline version. The conditional logic around TargetNetNext is there
     to avoid NU5104 for packing a release version library with prerelease deps. By adding preview to it, that warning is avoided.
     -->
-    <MicrosoftIdentityWebVersion Condition="'$(MicrosoftIdentityWebVersion)' == ''">4.3.1-preview</MicrosoftIdentityWebVersion>
+    <MicrosoftIdentityWebVersion Condition="'$(MicrosoftIdentityWebVersion)' == ''">4.3.1</MicrosoftIdentityWebVersion>
     <!--This will generate AssemblyVersion, AssemblyFileVersion and AssemblyInformationVersion-->
     <Version>$(MicrosoftIdentityWebVersion)</Version>
-
     <EnablePackageValidation>true</EnablePackageValidation>
     <PackageValidationBaselineVersion>4.2.0</PackageValidationBaselineVersion>
-    <GeneratePackageOnBuild>True</GeneratePackageOnBuild>
     <BuildDirectory>$(MSBuildThisFileDirectory)/build</BuildDirectory>
     <AssemblyOriginatorKeyFile>$(BuildDirectory)/35MSSharedLib1024.snk</AssemblyOriginatorKeyFile>
     <RepositoryType>git</RepositoryType>