Add IConfidentialClientApplicationProvider and CachePartitionKey support#3822
Merged
Conversation
IConfidentialClientApplicationProvider: new public interface that exposes the managed CCA instance for a given authentication scheme. Enables extensions to call MSAL directly with custom parameters (e.g. cache partition keys) while reusing IdWeb's CCA lifecycle and configuration. TokenAcquisitionOptions.CachePartitionKey: new optional field that threads through to MSAL's WithCachePartitionKey on AcquireTokenSilent calls. Enables partition-aware silent token lookup for downstream API calls. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Update MicrosoftIdentityClientVersion to 4.84.1 which includes WithReservedScopes and WithCachePartitionKey APIs. Add PublicAPI.Unshipped.txt entries for IConfidentialClientApplicationProvider and TokenAcquisitionOptions.CachePartitionKey to NetCore and NetFramework folders (matching the existing project convention). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add the new interface to Assert.Collection in the correct sorted position (after IMsalHttpClientFactory) instead of filtering it out. Update service count to 14. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds extensibility and cache-partitioning capabilities to Microsoft.Identity.Web.TokenAcquisition by exposing the managed MSAL confidential client and allowing callers to provide MSAL cache partition key components for silent token acquisition.
Changes:
- Introduces
IConfidentialClientApplicationProviderand registers it in DI, implemented byTokenAcquisition. - Adds
TokenAcquisitionOptions.CachePartitionKeyand threads it into MSALAcquireTokenSilentviaWithCachePartitionKey. - Updates public API baselines and bumps MSAL dependency to 4.84.1; adds unit tests for DI registration and options defaults.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/Microsoft.Identity.Web.Test/TokenAcquisitionTests.cs | Adds unit tests for CachePartitionKey default/setter behavior. |
| tests/Microsoft.Identity.Web.Test/ServiceCollectionExtensionsTests.cs | Extends DI registration tests to cover the new provider and updated service counts. |
| src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisitionOptions.cs | Adds CachePartitionKey option and clones it in Clone(). |
| src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs | Implements the new provider interface and applies cache partition keys to silent acquisition builder. |
| src/Microsoft.Identity.Web.TokenAcquisition/ServiceCollectionExtensions.cs | Registers IConfidentialClientApplicationProvider in DI (scoped/singleton). |
| src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/NetFramework/PublicAPI.Unshipped.txt | Declares new public API surface for NetFramework builds. |
| src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/NetCore/PublicAPI.Unshipped.txt | Declares new public API surface for NetCore builds. |
| src/Microsoft.Identity.Web.TokenAcquisition/IConfidentialClientApplicationProvider.cs | Adds the new public interface exposing the managed MSAL CCA. |
| Directory.Build.props | Bumps MSAL version from 4.84.0 to 4.84.1. |
Comments suppressed due to low confidence (1)
src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisitionOptions.cs:60
- CachePartitionKey is cloned in TokenAcquisitionOptions.Clone(), but there isn't a unit test asserting the clone is a deep copy (i.e., cloned.CachePartitionKey is not the same instance and is unaffected by subsequent mutations to the original). Adding a test would help prevent regressions since avoiding shared mutable state is part of the new behavior.
CachePartitionKey = CachePartitionKey != null
? new Dictionary<string, string>(CachePartitionKey)
: null
- Include IConfidentialClientApplicationProvider in the existing-registration check and lifetime-mismatch removal in ServiceCollectionExtensions, matching the pattern used for ITokenAcquisitionInternal and ICredentialsProvider. - Preserve dictionary comparer in TokenAcquisitionOptions.Clone() when CachePartitionKey is a Dictionary<string, string> with a custom comparer. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
cpp11nullptr
approved these changes
May 20, 2026
bgavrilMS
reviewed
May 20, 2026
bgavrilMS
reviewed
May 20, 2026
bgavrilMS
reviewed
May 20, 2026
bgavrilMS
reviewed
May 20, 2026
bgavrilMS
reviewed
May 20, 2026
bgavrilMS
reviewed
May 20, 2026
bgavrilMS
approved these changes
May 20, 2026
Member
|
Approved with comments |
- Move IConfidentialClientApplicationProvider to Microsoft.Identity.Web.Extensibility namespace - Make CachePartitionKeys internal, expose via extension method in Extensibility namespace - Rename CachePartitionKey to CachePartitionKeys - Simplify Clone (drop comparer preservation) - Remove unnecessary #pragma if applicable Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bgavrilMS
approved these changes
May 21, 2026
This was referenced May 25, 2026
Merged
deps(nuget): Bump the microsoft-packages group with 1 update
Ellerbach/azure-ai-search-simulator#146
Merged
This was referenced May 26, 2026
Merged
Closed
github-actions Bot
pushed a commit
to EelcoLos/nx-tinkering
that referenced
this pull request
May 26, 2026
Updated [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web) from 4.9.0 to 4.10.0. <details> <summary>Release notes</summary> _Sourced from [Microsoft.Identity.Web's releases](https://github.com/AzureAD/microsoft-identity-web/releases)._ ## 4.10.0 ### New features - Add `WithExtraBodyParameters` fluent API for attaching extra body parameters to token acquisition requests. See [#3819](AzureAD/microsoft-identity-web#3819). - Add `IConfidentialClientApplicationProvider` extensibility interface and `CachePartitionKey` support for silent token acquisition. See [#3822](AzureAD/microsoft-identity-web#3822). ### Bug fixes - Redirect URI sanitization in authorization scenarios; centralize redirect URI validation in a shared helper. See [#3825](AzureAD/microsoft-identity-web#3825). - Reject dSTS-shaped `Authority` values with a clearer exception, steering users to use `Instance` + `TenantId` instead. See [#3805](AzureAD/microsoft-identity-web#3805). - Improve regex handling and adding length/timeout safeguards for SameSite User Agent. See [#3811](AzureAD/microsoft-identity-web#3811). ### Behavior changes - **B2C OpenID Connect event handler: LRU cache for issuer address.** Issuer address lookups in the B2C OIDC event handler are now cached with an LRU cache, improving performance for repeated lookups. See [#3821](AzureAD/microsoft-identity-web#3821). ### Dependencies updates - Update MSAL.NET to 4.84.1. See [#3822](AzureAD/microsoft-identity-web#3822). - Pin `Microsoft.Kiota.Abstractions` to 1.22.0 for GraphServiceClient. See [#3817](AzureAD/microsoft-identity-web#3817). - Bump `uuid` and `@azure/msal-node` in SidecarAdapter TypeScript test app. See [#3826](AzureAD/microsoft-identity-web#3826). - Bump `qs` in SidecarAdapter TypeScript test app. See [#3829](AzureAD/microsoft-identity-web#3829). Commits viewable in [compare view](AzureAD/microsoft-identity-web@4.9.0...4.10.0). </details> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eelco Los <5102501+EelcoLos@users.noreply.github.com>
This was referenced May 26, 2026
Open
Merged
Closed
Open
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two additions to
Microsoft.Identity.Web.TokenAcquisition:IConfidentialClientApplicationProvider
New public interface that exposes the managed
IConfidentialClientApplicationfor a given authentication scheme. Enables extensions to call MSAL directly (e.g. for custom token acquisition flows) while reusing the same CCA instance, credentials, and token cache that IdWeb manages.TokenAcquisitionimplements the interface. Registered in DI alongsideITokenAcquisitionwith the same lifetime (scoped or singleton depending on configuration).TokenAcquisitionOptions.CachePartitionKey
New optional
IDictionary<string, string>property. When set,TokenAcquisitionthreads it to MSAL'sAcquireTokenSilentviaWithCachePartitionKey()(MSAL 4.84.1). Enables partition-aware silent token lookup for scenarios where cached tokens need isolation (e.g. parallel sessions for the same user with different lifetimes).The property is cloned in
TokenAcquisitionOptions.Clone()to prevent shared state.Dependencies
WithCachePartitionKeyAPI, merged and released)Directory.Build.propsbumpsMicrosoftIdentityClientVersionfrom 4.84.0 to 4.84.1Changes
IConfidentialClientApplicationProvider.csTokenAcquisition.csTokenAcquisitionOptions.csServiceCollectionExtensions.csPublicAPI/NetCore/PublicAPI.Unshipped.txtPublicAPI/NetFramework/PublicAPI.Unshipped.txtDirectory.Build.propsTesting