From a61ee96113f1e3baa30c2f8fe9a87b337ab2d0ec Mon Sep 17 00:00:00 2001
From: avdunn <avdunn@microsoft.com>
Date: Fri, 17 Apr 2026 12:26:38 -0700
Subject: [PATCH 1/2] Fix CredentialsProvider DI lifetime mismatch causing
 startup crash in Development

---
 .../ServiceCollectionExtensions.cs                  | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/ServiceCollectionExtensions.cs b/src/Microsoft.Identity.Web.TokenAcquisition/ServiceCollectionExtensions.cs
index dee774478..076ae6c6b 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/ServiceCollectionExtensions.cs
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/ServiceCollectionExtensions.cs
@@ -46,11 +46,6 @@ public static IServiceCollection AddTokenAcquisition(
             bool forceSdk = !services.Any(s => s.ServiceType.FullName == "Microsoft.AspNetCore.Authentication.IAuthenticationService");
 #endif
 
-            if (!HasImplementationType(services, typeof(CredentialsProvider)))
-            {
-                services.TryAddSingleton<ICredentialsProvider, CredentialsProvider>();
-            }
-
             if (!HasImplementationType(services, typeof(DefaultCertificateLoader)))
             {
                 services.TryAddSingleton<ICredentialsLoader, DefaultCertificateLoader>();
@@ -139,6 +134,10 @@ public static IServiceCollection AddTokenAcquisition(
                 services.AddSingleton<Abstractions.IAuthenticationSchemeInformationProvider>(sp =>
                     sp.GetRequiredService<ITokenAcquisitionHost>());
                 services.AddSingleton<IAuthorizationHeaderProvider, DefaultAuthorizationHeaderProvider>();
+                if (!HasImplementationType(services, typeof(CredentialsProvider)))
+                {
+                    services.TryAddSingleton<ICredentialsProvider, CredentialsProvider>();
+                }
             }
             else
             {
@@ -169,6 +168,10 @@ public static IServiceCollection AddTokenAcquisition(
                 services.AddScoped<Abstractions.IAuthenticationSchemeInformationProvider>(sp =>
                     sp.GetRequiredService<ITokenAcquisitionHost>());
                 services.AddScoped<IAuthorizationHeaderProvider, DefaultAuthorizationHeaderProvider>();
+                if (!HasImplementationType(services, typeof(CredentialsProvider)))
+                {
+                    services.TryAddScoped<ICredentialsProvider, CredentialsProvider>();
+                }
             }
 
             services.TryAddSingleton<IMergedOptionsStore, MergedOptionsStore>();

From b51fe606b453de4f584b4d3382bfbde06c0a8b82 Mon Sep 17 00:00:00 2001
From: avdunn <avdunn@microsoft.com>
Date: Fri, 17 Apr 2026 14:06:50 -0700
Subject: [PATCH 2/2] Fix lifetime mismatch issue

---
 .../ServiceCollectionExtensions.cs                          | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/ServiceCollectionExtensions.cs b/src/Microsoft.Identity.Web.TokenAcquisition/ServiceCollectionExtensions.cs
index 076ae6c6b..79c22d8bf 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/ServiceCollectionExtensions.cs
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/ServiceCollectionExtensions.cs
@@ -75,6 +75,7 @@ public static IServiceCollection AddTokenAcquisition(
             ServiceDescriptor? authenticationHeaderCreator = services.FirstOrDefault(s => s.ServiceType == typeof(IAuthorizationHeaderProvider));
             ServiceDescriptor? tokenAcquirerFactory = services.FirstOrDefault(s => s.ServiceType == typeof(ITokenAcquirerFactory));
             ServiceDescriptor? authSchemeInfoProvider = services.FirstOrDefault(s => s.ServiceType == typeof(Abstractions.IAuthenticationSchemeInformationProvider));
+            ServiceDescriptor? credentialsProviderService = services.FirstOrDefault(s => s.ServiceType == typeof(ICredentialsProvider));
 
             if (tokenAcquisitionService != null && tokenAcquisitionInternalService != null &&
                 tokenAcquisitionhost != null && authenticationHeaderCreator != null && authSchemeInfoProvider != null)
@@ -88,6 +89,11 @@ public static IServiceCollection AddTokenAcquisition(
                     services.Remove(authenticationHeaderCreator);
                     services.Remove(authSchemeInfoProvider);
 
+                    if (credentialsProviderService != null)
+                    {
+                        services.Remove(credentialsProviderService);
+                    }
+
                     // To support ASP.NET Core 2.x on .NET FW. It won't use the TokenAcquirerFactory.GetDefaultInstance()
                     if (tokenAcquirerFactory != null)
                     {