AzureAD · bgavrilMS · Feb 12, 2026 · Feb 11, 2026 · Feb 11, 2026 · Feb 12, 2026
@@ -7,10 +7,8 @@
     <MicrosoftIdentityWebVersion Condition="'$(MicrosoftIdentityWebVersion)' == ''">4.3.1</MicrosoftIdentityWebVersion>
     <!--This will generate AssemblyVersion, AssemblyFileVersion and AssemblyInformationVersion-->
     <Version>$(MicrosoftIdentityWebVersion)</Version>
-
     <EnablePackageValidation>true</EnablePackageValidation>
     <PackageValidationBaselineVersion>4.2.0</PackageValidationBaselineVersion>
-
     <BuildDirectory>$(MSBuildThisFileDirectory)/build</BuildDirectory>
     <AssemblyOriginatorKeyFile>$(BuildDirectory)/35MSSharedLib1024.snk</AssemblyOriginatorKeyFile>
     <RepositoryType>git</RepositoryType>

@@ -1228,13 +1228,11 @@ private void NotifyCertificateSelection(
                 string? tokenUsedToCallTheWebApi = GetActualToken(validatedToken);
 
                 AcquireTokenOnBehalfOfParameterBuilder? builder = null;
-                TokenAcquisitionExtensionOptions? addInOptions = null;
+                TokenAcquisitionExtensionOptions? addInOptions = tokenAcquisitionExtensionOptionsMonitor?.CurrentValue;
 
                 // Case of web APIs: we need to do an on-behalf-of flow, with the token used to call the API
                 if (tokenUsedToCallTheWebApi != null)
                 {
-                    addInOptions = tokenAcquisitionExtensionOptionsMonitor?.CurrentValue;
-
                     if (string.IsNullOrEmpty(tokenAcquisitionOptions?.LongRunningWebApiSessionKey))
                     {
                         builder = application

@@ -37,16 +37,20 @@ public async Task LongRunningSessionForDefaultAuthProviderForUserDefaultKeyTest(
             var claimsPrincipal = new ClaimsPrincipal(identity);
 
             var tokenAcquirerFactory = InitTokenAcquirerFactoryForTest();
+            bool argsNotNull = true;
 
             // Configure the extension option such that the event is subscribed to
             // so the test can observe if the service provider is set in the extra parameters
             tokenAcquirerFactory.Services.Configure<TokenAcquisitionExtensionOptions>(options =>
             {
                 options.OnBeforeTokenAcquisitionForOnBehalfOf += (builder, options, args) =>
                 {
-                    //verify that the ClaimsPrincipal passed in the event is the same as the one passed to CreateAuthorizationHeaderForUserAsync and that the BootstrapContext is preserved
-                    Assert.Equal(((CaseSensitiveClaimsIdentity)claimsPrincipal.Identity!).BootstrapContext, ((CaseSensitiveClaimsIdentity)args?.User?.Identity!).BootstrapContext);
-                    Assert.Equal(((CaseSensitiveClaimsIdentity)claimsPrincipal.Identity!).BootstrapContext, args.UserAssertionToken);
+                    if (argsNotNull)
+                    {
+                        //verify that the ClaimsPrincipal passed in the event is the same as the one passed to CreateAuthorizationHeaderForUserAsync and that the BootstrapContext is preserved
+                        Assert.Equal(((CaseSensitiveClaimsIdentity)claimsPrincipal.Identity!).BootstrapContext, ((CaseSensitiveClaimsIdentity)args?.User?.Identity!).BootstrapContext);
+                        Assert.Equal(((CaseSensitiveClaimsIdentity)claimsPrincipal.Identity!).BootstrapContext, args.UserAssertionToken);
+                    }
                 };
             });
             IServiceProvider serviceProvider = tokenAcquirerFactory.Build();
@@ -57,8 +61,6 @@ public async Task LongRunningSessionForDefaultAuthProviderForUserDefaultKeyTest(
 
             using (mockHttpClient)
             {
-
-
                 // Create options with LongRunningWebApiSessionKey
                 var options = new AuthorizationHeaderProviderOptions
                 {
@@ -85,6 +87,7 @@ public async Task LongRunningSessionForDefaultAuthProviderForUserDefaultKeyTest(
                 string key1 = options.AcquireTokenOptions.LongRunningWebApiSessionKey;
 
                 // Step 4: Second call without ClaimsPrincipal should return the token from cache
+                argsNotNull = false;
                 result = await authorizationHeaderProvider.CreateAuthorizationHeaderForUserAsync(
                                     scopes,
                                     options);
@@ -94,6 +97,7 @@ public async Task LongRunningSessionForDefaultAuthProviderForUserDefaultKeyTest(
                 Assert.Equal(key1, options.AcquireTokenOptions.LongRunningWebApiSessionKey);
 
                 // Step 5: First call with ClaimsPrincipal to initiate LR session for CreateAuthorizationHeaderAsync
+                argsNotNull = true;
                 scopes = new[] { "User.Write" };
                 mockHttpClient!.AddMockHandler(MockHttpCreator.CreateLrOboTokenHandler("User.Write"));
                 result = await authorizationHeaderProvider.CreateAuthorizationHeaderAsync(
@@ -105,6 +109,7 @@ public async Task LongRunningSessionForDefaultAuthProviderForUserDefaultKeyTest(
                 Assert.NotEqual(options.AcquireTokenOptions.LongRunningWebApiSessionKey, TokenAcquisitionOptions.LongRunningWebApiSessionKeyAuto);
                 key1 = options.AcquireTokenOptions.LongRunningWebApiSessionKey;
 
+                argsNotNull = false;
                 // Step 6: Second call without ClaimsPrincipal should return the token from cache for CreateAuthorizationHeaderAsync
                 result = await authorizationHeaderProvider.CreateAuthorizationHeaderAsync(
                                     scopes,