Merge main into branch; resolve PublicAPI.Unshipped.txt conflicts

Robbie-Microsoft · Copilot · Robbie-Microsoft · commit 3d12ae11ca87 · 2026-04-30T14:08:25.000-04:00
Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs b/src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs
@@ -156,7 +156,8 @@ public AcquireTokenForClientParameterBuilder WithAttributes(string attributeJson
                 { OAuth2Parameter.Attributes, _ => Task.FromResult(attributeJson) }
             };
 
-            this.WithExtraBodyParameters(extraBodyParams);
+            AbstractConfidentialClientAcquireTokenParameterBuilderExtension
+                .WithExtraBodyParameters<AcquireTokenForClientParameterBuilder>(this, extraBodyParams);
 
             return this;
         }
diff --git a/src/client/Microsoft.Identity.Client/Extensibility/AbstractConfidentialClientAcquireTokenParameterBuilderExtension.cs b/src/client/Microsoft.Identity.Client/Extensibility/AbstractConfidentialClientAcquireTokenParameterBuilderExtension.cs
@@ -7,6 +7,7 @@
 using System.Runtime.CompilerServices;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.OAuth2;
 
 namespace Microsoft.Identity.Client.Extensibility
@@ -42,6 +43,132 @@ public static AbstractAcquireTokenParameterBuilder<T> OnBeforeTokenRequest<T>(
             return builder;
         }
 
+        /// <summary>
+        /// Sends <paramref name="attributeTokens"/> as the <c>attribute_tokens</c> body parameter
+        /// and includes them in the cache key. Null/empty/whitespace entries are ignored;
+        /// a null or empty collection is a no-op.
+        /// </summary>
+        /// <typeparam name="T">The concrete confidential client builder type.</typeparam>
+        /// <param name="builder">The builder to chain options to.</param>
+        /// <param name="attributeTokens">Attribute tokens to include. Individual tokens must not contain whitespace.</param>
+        /// <returns>The builder to chain method calls.</returns>
+        /// <remarks>
+        /// <para>
+        /// For <c>AcquireTokenForClient</c> the <c>attribute_tokens</c> set is part of the cache
+        /// partition key, so different sets are fully isolated.
+        /// </para>
+        /// <para>
+        /// For <c>AcquireTokenOnBehalfOf</c> the partition key is the user assertion hash; the
+        /// <c>attribute_tokens</c> set is stored as an item-level cache component within that
+        /// partition. Multiple variants for the same assertion coexist and are disambiguated on
+        /// read only when the caller supplies the same <c>WithAttributeTokens</c> set.
+        /// <b>Mixing attributed and non-attributed reads against the same user assertion can
+        /// return unintended cache entries or fail with <c>multiple_matching_tokens_detected</c>.</b>
+        /// Be consistent: if you used <c>WithAttributeTokens</c> on a write, use it on every
+        /// subsequent read for that assertion. Callers that require strict per-set cache isolation
+        /// across different attribute-token sets should use separate <see cref="IConfidentialClientApplication"/>
+        /// instances.
+        /// </para>
+        /// </remarks>
+        /// <exception cref="ArgumentException">Thrown when any token contains embedded whitespace.</exception>
+        /// <exception cref="MsalClientException">
+        /// Thrown when the application was not configured to allow experimental features
+        /// (this method transitively calls <see cref="WithExtraBodyParameters{T}"/>, which requires
+        /// experimental features to be enabled via <c>WithExperimentalFeatures()</c> on the application builder).
+        /// </exception>
+        public static T WithAttributeTokens<T>(
+            this AbstractConfidentialClientAcquireTokenParameterBuilder<T> builder,
+            IEnumerable<string> attributeTokens)
+            where T : AbstractConfidentialClientAcquireTokenParameterBuilder<T>
+        {
+            ILoggerAdapter logger = builder.ServiceBundle?.ApplicationLogger;
+
+            if (attributeTokens is null)
+            {
+                logger?.Verbose(() => "[WithAttributeTokens] No attribute tokens passed.");
+                return (T)builder;
+            }
+
+            var normalizedTokens = new List<string>();
+            foreach (string token in attributeTokens)
+            {
+                if (!string.IsNullOrWhiteSpace(token))
+                {
+                    string trimmed = token.Trim();
+                    if (trimmed.Any(char.IsWhiteSpace))
+                    {
+                        throw new ArgumentException(
+                            $"Attribute tokens must not contain whitespace. Invalid token: '{trimmed}'",
+                            nameof(attributeTokens));
+                    }
+
+                    normalizedTokens.Add(trimmed);
+                }
+            }
+
+            if (normalizedTokens.Count == 0)
+            {
+                logger?.Verbose(() => "[WithAttributeTokens] collection contained no usable tokens.");
+                return (T)builder;
+            }
+
+            // Deduplicate and sort so that callers passing the same logical set of tokens
+            // (in any order, with possible duplicates) hit the same cache entry and
+            // produce the same request body.
+            normalizedTokens = normalizedTokens.Distinct(StringComparer.Ordinal).ToList();
+            normalizedTokens.Sort(StringComparer.Ordinal);
+
+            string joinedTokens = string.Join(" ", normalizedTokens);
+
+            int count = normalizedTokens.Count;
+            logger?.Info(() => $"[WithAttributeTokens] Attaching {count} attribute token(s) " +
+                               "to the request body and including them in the cache key partition.");
+
+            var extraBodyParams = new Dictionary<string, Func<CancellationToken, Task<string>>>
+            {
+                { OAuth2Parameter.AttributeTokens, _ => Task.FromResult(joinedTokens) }
+            };
+
+            return builder.WithExtraBodyParameters(extraBodyParams);
+        }
+
+        /// <summary>
+        /// Add extra body parameters to the token request. These parameters are added to the cache key
+        /// to associate these parameters with the acquired token. Works for confidential client flows
+        /// (AcquireTokenForClient, AcquireTokenOnBehalfOf, AcquireTokenByAuthorizationCode).
+        /// </summary>
+        /// <typeparam name="T">The concrete confidential client builder type.</typeparam>
+        /// <param name="builder">The builder to chain options to.</param>
+        /// <param name="extraBodyParams">List of additional body parameters.</param>
+        /// <returns>The concrete builder to chain method calls.</returns>
+        public static T WithExtraBodyParameters<T>(
+            this AbstractConfidentialClientAcquireTokenParameterBuilder<T> builder,
+            Dictionary<string, Func<CancellationToken, Task<string>>> extraBodyParams)
+            where T : AbstractConfidentialClientAcquireTokenParameterBuilder<T>
+        {
+            builder.ValidateUseOfExperimentalFeature();
+
+            if (extraBodyParams == null || extraBodyParams.Count == 0)
+            {
+                return (T)builder;
+            }
+
+            builder.OnBeforeTokenRequest(async data =>
+            {
+                foreach (var param in extraBodyParams)
+                {
+                    if (param.Value != null)
+                    {
+                        data.BodyParameters.Add(param.Key, await param.Value(data.CancellationToken).ConfigureAwait(false));
+                    }
+                }
+            });
+
+            builder.WithAdditionalCacheKeyComponents(extraBodyParams);
+
+            return (T)builder;
+        }
+
         /// <summary>
         /// Binds the token to a key in the cache.No cryptographic operations is performed on the token.
         /// </summary>
diff --git a/src/client/Microsoft.Identity.Client/Extensibility/AcquireTokenForClientBuilderExtensions.cs b/src/client/Microsoft.Identity.Client/Extensibility/AcquireTokenForClientBuilderExtensions.cs
@@ -49,27 +49,14 @@ public static AcquireTokenForClientParameterBuilder WithProofOfPosessionKeyId(
         /// <param name="builder"></param>
         /// <param name="extrabodyparams">List of additional body parameters</param>
         /// <returns></returns>
+        [EditorBrowsable(EditorBrowsableState.Never)] // Soft deprecate; prefer the generic overload on AbstractConfidentialClientAcquireTokenParameterBuilderExtension that also supports OBO and AuthorizationCode.
+        [Obsolete("Use AbstractConfidentialClientAcquireTokenParameterBuilderExtension.WithExtraBodyParameters instead, which also supports OBO and AuthorizationCode flows.", false)]
         public static AcquireTokenForClientParameterBuilder WithExtraBodyParameters(
             this AcquireTokenForClientParameterBuilder builder, 
             Dictionary<string, Func<CancellationToken, Task<string>>> extrabodyparams)
         {
-            builder.ValidateUseOfExperimentalFeature();
-            if (extrabodyparams == null || extrabodyparams.Count == 0)
-            {
-                return builder;
-            }
-            builder.OnBeforeTokenRequest(async (data) =>
-            {
-                foreach (var param in extrabodyparams)
-                {
-                    if (param.Value != null)
-                    {
-                        data.BodyParameters.Add(param.Key, await param.Value(data.CancellationToken).ConfigureAwait(false));
-                    }
-                }
-            });
-
-            builder.WithAdditionalCacheKeyComponents(extrabodyparams);
+            AbstractConfidentialClientAcquireTokenParameterBuilderExtension
+                .WithExtraBodyParameters<AcquireTokenForClientParameterBuilder>(builder, extrabodyparams);
             return builder;
         }
     }
diff --git a/src/client/Microsoft.Identity.Client/OAuth2/OAuthConstants.cs b/src/client/Microsoft.Identity.Client/OAuth2/OAuthConstants.cs
@@ -46,6 +46,7 @@ internal static class OAuth2Parameter
         public const string SpaCode = "return_spa_code"; // not a standard OAuth2 param
         public const string FmiPath = "fmi_path"; // not a standard OAuth2 param
         public const string Attributes = "attributes"; // not a standard OAuth2 param
+        public const string AttributeTokens = "attribute_tokens"; // not a standard OAuth2 param
         public const string UserFederatedIdentityCredential = "user_federated_identity_credential"; // user_fic grant type parameter
     }
 
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/net462/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/net462/PublicAPI.Unshipped.txt
@@ -9,4 +9,6 @@ Microsoft.Identity.Client.Extensibility.AuthenticationResultExtensions
 const Microsoft.Identity.Client.MsalError.InternalCacheDisabled = "internal_cache_disabled" -> string
 const Microsoft.Identity.Client.MsalError.InvalidCredentialMaterial = "invalid_credential_material" -> string
 static Microsoft.Identity.Client.CacheOptions.DisableInternalCacheOptions.get -> Microsoft.Identity.Client.CacheOptions
+static Microsoft.Identity.Client.Extensibility.AbstractConfidentialClientAcquireTokenParameterBuilderExtension.WithAttributeTokens<T>(this Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder<T> builder, System.Collections.Generic.IEnumerable<string> attributeTokens) -> T
+static Microsoft.Identity.Client.Extensibility.AbstractConfidentialClientAcquireTokenParameterBuilderExtension.WithExtraBodyParameters<T>(this Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder<T> builder, System.Collections.Generic.Dictionary<string, System.Func<System.Threading.CancellationToken, System.Threading.Tasks.Task<string>>> extraBodyParams) -> T
 static Microsoft.Identity.Client.Extensibility.AuthenticationResultExtensions.GetRefreshToken(this Microsoft.Identity.Client.AuthenticationResult result) -> string
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/net472/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/net472/PublicAPI.Unshipped.txt
@@ -9,4 +9,6 @@ Microsoft.Identity.Client.Extensibility.AuthenticationResultExtensions
 const Microsoft.Identity.Client.MsalError.InternalCacheDisabled = "internal_cache_disabled" -> string
 const Microsoft.Identity.Client.MsalError.InvalidCredentialMaterial = "invalid_credential_material" -> string
 static Microsoft.Identity.Client.CacheOptions.DisableInternalCacheOptions.get -> Microsoft.Identity.Client.CacheOptions
+static Microsoft.Identity.Client.Extensibility.AbstractConfidentialClientAcquireTokenParameterBuilderExtension.WithAttributeTokens<T>(this Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder<T> builder, System.Collections.Generic.IEnumerable<string> attributeTokens) -> T
+static Microsoft.Identity.Client.Extensibility.AbstractConfidentialClientAcquireTokenParameterBuilderExtension.WithExtraBodyParameters<T>(this Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder<T> builder, System.Collections.Generic.Dictionary<string, System.Func<System.Threading.CancellationToken, System.Threading.Tasks.Task<string>>> extraBodyParams) -> T
 static Microsoft.Identity.Client.Extensibility.AuthenticationResultExtensions.GetRefreshToken(this Microsoft.Identity.Client.AuthenticationResult result) -> string
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/net8.0-android/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/net8.0-android/PublicAPI.Unshipped.txt
@@ -9,4 +9,6 @@ Microsoft.Identity.Client.Extensibility.AuthenticationResultExtensions
 const Microsoft.Identity.Client.MsalError.InternalCacheDisabled = "internal_cache_disabled" -> string
 const Microsoft.Identity.Client.MsalError.InvalidCredentialMaterial = "invalid_credential_material" -> string
 static Microsoft.Identity.Client.CacheOptions.DisableInternalCacheOptions.get -> Microsoft.Identity.Client.CacheOptions
+static Microsoft.Identity.Client.Extensibility.AbstractConfidentialClientAcquireTokenParameterBuilderExtension.WithAttributeTokens<T>(this Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder<T> builder, System.Collections.Generic.IEnumerable<string> attributeTokens) -> T
+static Microsoft.Identity.Client.Extensibility.AbstractConfidentialClientAcquireTokenParameterBuilderExtension.WithExtraBodyParameters<T>(this Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder<T> builder, System.Collections.Generic.Dictionary<string, System.Func<System.Threading.CancellationToken, System.Threading.Tasks.Task<string>>> extraBodyParams) -> T
 static Microsoft.Identity.Client.Extensibility.AuthenticationResultExtensions.GetRefreshToken(this Microsoft.Identity.Client.AuthenticationResult result) -> string
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/net8.0-ios/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/net8.0-ios/PublicAPI.Unshipped.txt
@@ -9,4 +9,6 @@ Microsoft.Identity.Client.Extensibility.AuthenticationResultExtensions
 const Microsoft.Identity.Client.MsalError.InternalCacheDisabled = "internal_cache_disabled" -> string
 const Microsoft.Identity.Client.MsalError.InvalidCredentialMaterial = "invalid_credential_material" -> string
 static Microsoft.Identity.Client.CacheOptions.DisableInternalCacheOptions.get -> Microsoft.Identity.Client.CacheOptions
+static Microsoft.Identity.Client.Extensibility.AbstractConfidentialClientAcquireTokenParameterBuilderExtension.WithAttributeTokens<T>(this Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder<T> builder, System.Collections.Generic.IEnumerable<string> attributeTokens) -> T
+static Microsoft.Identity.Client.Extensibility.AbstractConfidentialClientAcquireTokenParameterBuilderExtension.WithExtraBodyParameters<T>(this Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder<T> builder, System.Collections.Generic.Dictionary<string, System.Func<System.Threading.CancellationToken, System.Threading.Tasks.Task<string>>> extraBodyParams) -> T
 static Microsoft.Identity.Client.Extensibility.AuthenticationResultExtensions.GetRefreshToken(this Microsoft.Identity.Client.AuthenticationResult result) -> string
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/net8.0/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/net8.0/PublicAPI.Unshipped.txt
@@ -9,4 +9,6 @@ Microsoft.Identity.Client.Extensibility.AuthenticationResultExtensions
 const Microsoft.Identity.Client.MsalError.InternalCacheDisabled = "internal_cache_disabled" -> string
 const Microsoft.Identity.Client.MsalError.InvalidCredentialMaterial = "invalid_credential_material" -> string
 static Microsoft.Identity.Client.CacheOptions.DisableInternalCacheOptions.get -> Microsoft.Identity.Client.CacheOptions
+static Microsoft.Identity.Client.Extensibility.AbstractConfidentialClientAcquireTokenParameterBuilderExtension.WithAttributeTokens<T>(this Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder<T> builder, System.Collections.Generic.IEnumerable<string> attributeTokens) -> T
+static Microsoft.Identity.Client.Extensibility.AbstractConfidentialClientAcquireTokenParameterBuilderExtension.WithExtraBodyParameters<T>(this Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder<T> builder, System.Collections.Generic.Dictionary<string, System.Func<System.Threading.CancellationToken, System.Threading.Tasks.Task<string>>> extraBodyParams) -> T
 static Microsoft.Identity.Client.Extensibility.AuthenticationResultExtensions.GetRefreshToken(this Microsoft.Identity.Client.AuthenticationResult result) -> string
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/netstandard2.0/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/netstandard2.0/PublicAPI.Unshipped.txt
@@ -9,4 +9,6 @@ Microsoft.Identity.Client.Extensibility.AuthenticationResultExtensions
 const Microsoft.Identity.Client.MsalError.InternalCacheDisabled = "internal_cache_disabled" -> string
 const Microsoft.Identity.Client.MsalError.InvalidCredentialMaterial = "invalid_credential_material" -> string
 static Microsoft.Identity.Client.CacheOptions.DisableInternalCacheOptions.get -> Microsoft.Identity.Client.CacheOptions
+static Microsoft.Identity.Client.Extensibility.AbstractConfidentialClientAcquireTokenParameterBuilderExtension.WithAttributeTokens<T>(this Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder<T> builder, System.Collections.Generic.IEnumerable<string> attributeTokens) -> T
+static Microsoft.Identity.Client.Extensibility.AbstractConfidentialClientAcquireTokenParameterBuilderExtension.WithExtraBodyParameters<T>(this Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder<T> builder, System.Collections.Generic.Dictionary<string, System.Func<System.Threading.CancellationToken, System.Threading.Tasks.Task<string>>> extraBodyParams) -> T
 static Microsoft.Identity.Client.Extensibility.AuthenticationResultExtensions.GetRefreshToken(this Microsoft.Identity.Client.AuthenticationResult result) -> string
diff --git a/tests/Microsoft.Identity.Test.Unit/PublicApiTests/ExtraBodyParametersTests.cs b/tests/Microsoft.Identity.Test.Unit/PublicApiTests/ExtraBodyParametersTests.cs
@@ -11,6 +11,8 @@
 using Microsoft.Identity.Test.Common.Core.Helpers;
 using Microsoft.Identity.Client.Extensibility;
 
+#pragma warning disable CS0618 // Tests intentionally exercise the obsolete AcquireTokenForClientBuilderExtensions.WithExtraBodyParameters overload.
+
 namespace Microsoft.Identity.Test.Unit.PublicApiTests
 {
     [TestClass]
diff --git a/tests/Microsoft.Identity.Test.Unit/PublicApiTests/WithAttributeTokensTests.cs b/tests/Microsoft.Identity.Test.Unit/PublicApiTests/WithAttributeTokensTests.cs

Original file line number	Diff line number	Diff line change
`@@ -156,7 +156,8 @@ public AcquireTokenForClientParameterBuilder WithAttributes(string attributeJson`
`156`	`156`	`{ OAuth2Parameter.Attributes, _ => Task.FromResult(attributeJson) }`
`157`	`157`	`};`
`158`	`158`
`159`		`- this.WithExtraBodyParameters(extraBodyParams);`
	`159`	`+ AbstractConfidentialClientAcquireTokenParameterBuilderExtension`
	`160`	`+ .WithExtraBodyParameters<AcquireTokenForClientParameterBuilder>(this, extraBodyParams);`
`160`	`161`
`161`	`162`	`return this;`
`162`	`163`	`}`
Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@ internal static class OAuth2Parameter`
`46`	`46`	`public const string SpaCode = "return_spa_code"; // not a standard OAuth2 param`
`47`	`47`	`public const string FmiPath = "fmi_path"; // not a standard OAuth2 param`
`48`	`48`	`public const string Attributes = "attributes"; // not a standard OAuth2 param`
	`49`	`+ public const string AttributeTokens = "attribute_tokens"; // not a standard OAuth2 param`
`49`	`50`	`public const string UserFederatedIdentityCredential = "user_federated_identity_credential"; // user_fic grant type parameter`
`50`	`51`	`}`
`51`	`52`