Merge branch 'main' into bogavril/5809

Author: bgavrilMS

.github/copilot-instructions.md

@@ -1,3 +1,67 @@
+# Code Review Rules
+
+These rules apply to Copilot code review. Read all rules before commenting.
+
+## Review scope
+
+- Only comment on lines added or modified in the PR diff
+- Do not comment on pre-existing code unless the PR directly introduces the issue
+- Do not comment on style, formatting, or indentation
+- Focus exclusively on: bugs, security issues, logic errors, API contract violations
+- If unsure whether something is a bug, do not comment
+- Prefer no comment over a speculative comment
+- Do not re-post a comment already made on an earlier commit in the same PR
+
+## Repo-specific patterns — do NOT flag these
+
+These patterns are correct in this repo. Do not suggest changes:
+
+- `[RunOn]` inherits from `TestMethodAttribute`. Do not flag as missing `[TestMethod]`
+- `Client.AppConfig.X` resolves via parent namespace `Microsoft.Identity`. Do not flag as unresolved namespace
+- `Assert.IsTrue(bool?)` is a valid MSTest overload. Do not flag nullable bool as a type mismatch
+- `Assert.DoesNotContain(substring, value)` — MSTest v4 signature is substring first, value second
+- `ConfigureAwait(false)` is intentional in library code. Do not suggest removal
+
+## ConcurrentDictionary.GetOrAdd — always use factory delegate
+
+`GetOrAdd(key, value)` eagerly evaluates the value arg. Flag any call where the second argument is not a delegate/lambda/method group:
+
+- Bad: `pool.GetOrAdd(key, new ExpensiveObject());`
+- Good: `pool.GetOrAdd(key, _ => new ExpensiveObject());`
+
+## C# coding standards
+
+- Use `is null` / `is not null` instead of `== null` / `!= null`
+- No reflection in product code (`/src`). Acceptable in tests
+- Static fields: `s_camelCase` (e.g., `s_knownHosts`)
+- Ordinal string comparisons for protocol values, identifiers, cache keys
+- Validate inputs at method boundaries (fail fast with specific exception types)
+- Do not include secrets/tokens/PII in exception messages or logs
+- Use `nameof` instead of string literals for member names
+
+## Testing standards
+
+- MSTest SDK v4 with NSubstitute for mocking
+- Use `// Arrange`, `// Act`, `// Assert` comments
+- Prefer deterministic tests (no timing flakiness)
+
+## Public API changes
+
+- Update `PublicAPI.Unshipped.txt` for any public API additions/removals
+- XML doc comments required on all public APIs
+- Maintain backward compatibility
+
+## MSAL-specific rules
+
+- Use certificate-based auth over client secrets when possible
+- Use async APIs consistently
+- Keep dependencies minimal and well-justified
+
+---
+
+<!-- Everything below this line is for Copilot Chat and Copilot Agent only. -->
+<!-- Copilot code review reads only the first 4,000 characters of this file. -->
+
 Carefully review all markdown documents in the ../.clinerules folder. Those are your custom instructions.
 
 ---

.github/instructions/src.instructions.md

@@ -0,0 +1,37 @@
+# Source code review rules
+
+Applies to: src/**/*.cs
+
+These rules apply when reviewing production source code in this repository.
+
+## Namespace resolution — do NOT flag
+
+- `Client.AppConfig.X`, `Client.Internal.X`, and similar short namespace references resolve via parent namespace `Microsoft.Identity`. Do not flag as unresolved.
+
+## ConcurrentDictionary.GetOrAdd
+
+`GetOrAdd(key, value)` eagerly evaluates the value argument. Flag any call where the second argument is not a delegate/lambda/method group:
+
+- Bad: `pool.GetOrAdd(key, new ExpensiveObject());`
+- Good: `pool.GetOrAdd(key, _ => new ExpensiveObject());`
+
+## `ConfigureAwait(false)`
+
+`ConfigureAwait(false)` is intentional in library code. Do not suggest removal.
+
+## Public API changes
+
+- Any public API additions or removals must be reflected in `PublicAPI.Unshipped.txt`
+- XML doc comments are required on all public APIs
+- Maintain backward compatibility — breaking changes require explicit justification
+
+## MSAL-specific
+
+- Keep dependencies minimal and well-justified
+
+## Scope
+
+- Only comment on source code added or modified in the PR diff
+- Do not comment on pre-existing code unless the PR directly introduces the issue
+- Do not comment on style or formatting — coding standards are enforced via .editorconfig
+- Focus on: bugs, security issues, logic errors, API contract violations

.github/instructions/tests.instructions.md

@@ -0,0 +1,25 @@
+# Test file review rules
+
+Applies to: tests/**/*.cs
+
+These rules apply when reviewing test files in this repository.
+
+## Test framework patterns — do NOT flag
+
+- `[RunOn]` inherits from `TestMethodAttribute` (see `tests/Microsoft.Identity.Test.Integration.netcore/Infrastructure/TargetFramework.cs` line 15). Tests decorated with `[RunOn]` WILL be discovered by MSTest. Do not flag as missing `[TestMethod]`.
+- `Assert.IsTrue(bool?)` is a valid MSTest overload. Do not flag nullable bool arguments as type mismatches.
+- `Assert.DoesNotContain(substring, value)` — in MSTest v4, the first argument is the substring and the second is the value to search. Do not suggest swapping arguments.
+- `Assert.HasCount(expected, collection)` — valid MSTest v4 assertion. Do not suggest `Assert.AreEqual` for count checks.
+
+## Test conventions
+
+- Use MSTest SDK v4 with NSubstitute for mocking
+- Use `// Arrange`, `// Act`, `// Assert` comments
+- Prefer deterministic tests: avoid `Thread.Sleep`, timing dependencies, or environment-specific behavior
+- Copy existing style in nearby files for test method names
+
+## Scope
+
+- Only comment on test code that is added or modified in the PR diff
+- Do not comment on pre-existing test patterns or style
+- Do not re-post comments already made on earlier commits

.github/workflows/auto-answer-issues.yml

@@ -0,0 +1,151 @@
+name: Auto-Answer Issues
+
+on:
+  issues:
+    types: [opened, labeled]
+
+permissions:
+  issues: write
+  contents: read
+
+jobs:
+  answer-issue:
+    runs-on: ubuntu-latest
+    # Only run for issues created by org members or owners (i.e., Microsoft Open Source enterprise members).
+    # github.event.issue.author_association is set by GitHub based on the issue author's relationship
+    # to this repository. MEMBER = org member, OWNER = repo/org owner. This prevents untrusted
+    # external contributors from triggering the Azure OpenAI-backed responder and consuming secrets/tokens.
+    if: |
+      github.event.issue.author_association == 'MEMBER' ||
+      github.event.issue.author_association == 'OWNER' ||
+      github.event.issue.author_association == 'COLLABORATOR'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: npm install @octokit/rest openai
+
+      - name: Generate and post response
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AZURE_OPENAI_API_KEY: ${{ secrets.AZURE_OPENAI_API_KEY }}
+          AZURE_OPENAI_ENDPOINT: ${{ secrets.AZURE_OPENAI_ENDPOINT }}
+          AZURE_OPENAI_DEPLOYMENT: ${{ secrets.AZURE_OPENAI_DEPLOYMENT }}
+          AZURE_OPENAI_API_VERSION: "2024-12-01-preview"
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          ISSUE_TITLE: ${{ github.event.issue.title }}
+          ISSUE_BODY: ${{ github.event.issue.body }}
+          REPO_OWNER: ${{ github.repository_owner }}
+          REPO_NAME: ${{ github.event.repository.name }}
+        run: |
+          node - << 'EOF'
+          async function main() {
+            // Use dynamic import() for ESM-only packages (openai v4+ and @octokit/rest v19+
+            // are ESM-only; dynamic import() works from CommonJS in Node 20).
+            const { Octokit } = await import("@octokit/rest");
+            const { AzureOpenAI } = await import("openai");
+            const {
+              GITHUB_TOKEN,
+              AZURE_OPENAI_API_KEY,
+              AZURE_OPENAI_ENDPOINT,
+              AZURE_OPENAI_DEPLOYMENT,
+              AZURE_OPENAI_API_VERSION,
+              ISSUE_NUMBER,
+              ISSUE_TITLE,
+              ISSUE_BODY,
+              REPO_OWNER,
+              REPO_NAME
+            } = process.env;
+          
+            if (!GITHUB_TOKEN) {
+              throw new Error("GITHUB_TOKEN is not set.");
+            }
+            if (!AZURE_OPENAI_API_KEY) {
+              throw new Error("AZURE_OPENAI_API_KEY is not set.");
+            }
+            if (!AZURE_OPENAI_ENDPOINT) {
+              throw new Error("AZURE_OPENAI_ENDPOINT is not set.");
+            }
+            if (!AZURE_OPENAI_DEPLOYMENT) {
+              throw new Error("AZURE_OPENAI_DEPLOYMENT is not set.");
+            }
+            if (!ISSUE_NUMBER || !REPO_OWNER || !REPO_NAME) {
+              throw new Error("Required issue/repository environment variables are missing.");
+            }
+          
+            const issueNumber = parseInt(ISSUE_NUMBER, 10);
+            const title = ISSUE_TITLE || "";
+            const body = ISSUE_BODY || "";
+          
+            const octokit = new Octokit({ auth: GITHUB_TOKEN });
+
+            // Check if the bot has already commented on this issue to avoid duplicate responses.
+            const comments = await octokit.paginate(octokit.issues.listComments, {
+              owner: REPO_OWNER,
+              repo: REPO_NAME,
+              issue_number: issueNumber,
+              per_page: 100
+            });
+            const botAlreadyCommented = comments.some(
+              (comment) => comment.user?.login === "github-actions[bot]"
+            );
+            if (botAlreadyCommented) {
+              console.log("Bot has already commented on this issue. Skipping.");
+              return;
+            }
+
+            const openai = new AzureOpenAI({
+              apiKey: AZURE_OPENAI_API_KEY,
+              endpoint: AZURE_OPENAI_ENDPOINT,
+              deployment: AZURE_OPENAI_DEPLOYMENT,
+              apiVersion: AZURE_OPENAI_API_VERSION
+            });
+          
+            const prompt = `
+You are a helpful GitHub assistant. An issue has been opened in the repository \`${REPO_OWNER}/${REPO_NAME}\`.
+
+Title:
+${title}
+
+Body:
+${body}
+
+Please write a concise, friendly reply that:
+- Acknowledges the question or issue.
+- Asks for any missing information if needed.
+- Suggests next steps or possible causes based only on the information provided.
+- Uses markdown formatting suitable for a GitHub issue comment.
+`;
+          
+            const completion = await openai.chat.completions.create({
+              model: AZURE_OPENAI_DEPLOYMENT,
+              messages: [
+                { role: "system", content: "You are a helpful assistant for triaging GitHub issues." },
+                { role: "user", content: prompt }
+              ]
+            });
+          
+            const reply = (completion.choices[0]?.message?.content || "").trim();
+            if (!reply) {
+              throw new Error("Azure OpenAI returned an empty response.");
+            }
+          
+            await octokit.issues.createComment({
+              owner: REPO_OWNER,
+              repo: REPO_NAME,
+              issue_number: issueNumber,
+              body: reply
+            });
+          }
+          
+          main().catch((error) => {
+            console.error("Failed to generate or post response:", error);
+            process.exit(1);
+          });
+          EOF

CHANGELOG.md

@@ -1,3 +1,29 @@
+4.84.0
+======
+
+### New Features
+- Added `CacheOptions.DisableInternalCacheOptions` static property and `CacheOptions.IsInternalCacheDisabled` to allow disabling MSAL's internal token cache. Added `CacheRefreshReason.CacheDisabled` and `MsalError.InternalCacheDisabled` to support this scenario. [#5947](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5947)
+- Added `AuthenticationResultExtensions.GetRefreshToken()` extension method for accessing refresh tokens from `AuthenticationResult`. [#5947](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5947)
+- Added `WithAttributeTokens` and `WithExtraBodyParameters` extension methods on `AbstractConfidentialClientAcquireTokenParameterBuilder` for enhanced extensibility. [#5888](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5888)
+- Added `CertificateOptions.SendCertificateOverMtls` for mTLS Proof-of-Possession certificate support. [#5849](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5849)
+- Added `AssertionRequestOptions.CorrelationId` property for correlation ID support in FIC assertion requests. [#5937](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5937)
+
+### Changes
+- Removed experimental feature gate from `WithClientAssertion(ClientSignedAssertion)` overload. [#5945](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5945)
+- Removed embedded Newtonsoft.Json dependency, migrated to `System.Text.Json` exclusively. [#5959](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5959)
+- Removed mTLS PoP region as a hard requirement. [#5902](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5902)
+- Refactored client credential material resolution. [#5835](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5835)
+- Added in-process MAA token caching to PopKeyAttestor. [#5887](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5887)
+- Added raw STS error code to MsalFailure metric. [#5961](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5961)
+- Support forwarding MSAL client metadata headers through IMDS to ESTS. [#5912](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5912)
+
+### Bug Fixes
+- Fixed eager evaluation in `ConcurrentDictionary.GetOrAdd` calls. [#5950](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5950)
+- Fixed `System.ValueTuple` conditional dependency to `net462` only. [#5894](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5894)
+- Validated `clientSignedAssertionProvider` delegate is non-null in `WithClientAssertion`. [#5956](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5956)
+- Improved `MtlsPopTokenNotSupportedinImdsV1` error message clarity. [#5908](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5908)
+- Added additional checks for issuer validation. [#5931](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5931)
+
 4.83.3
 ======
 

Directory.Packages.props

@@ -69,8 +69,8 @@
     <PackageVersion Include="NuGet.Versioning" Version="6.8.0" />
     <PackageVersion Include="NUnit" Version="3.13.3" />
     <PackageVersion Include="NUnit3TestAdapter" Version="4.5.0" />
-    <PackageVersion Include="OpenTelemetry.Exporter.Console" Version="1.6.0" />
-    <PackageVersion Include="OpenTelemetry.Exporter.InMemory" Version="1.6.0" />
+    <PackageVersion Include="OpenTelemetry.Exporter.Console" Version="1.15.3" />
+    <PackageVersion Include="OpenTelemetry.Exporter.InMemory" Version="1.15.3" />
     <PackageVersion Include="Polly" Version="7.2.3" />
     <PackageVersion Include="Selenium.Support" Version="4.19.0" />
     <PackageVersion Include="Selenium.WebDriver" Version="4.19.0" />

PerformanceTests.sln

@@ -9,6 +9,10 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Identity.Client.T
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Identity.Client", "src\client\Microsoft.Identity.Client\Microsoft.Identity.Client.csproj", "{E94D56E5-AAF5-4BF1-B956-BB600F6E1C0C}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Identity.Lab.Api", "src\client\Microsoft.Identity.Lab.Api\Microsoft.Identity.Lab.Api.csproj", "{4A4136D1-8A7B-4C95-9328-DF7CA4F437C6}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Identity.Test.Common", "tests\Microsoft.Identity.Test.Common\Microsoft.Identity.Test.Common.csproj", "{A1839AD4-12CE-4C9F-9E46-55F76A0A68DD}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -23,6 +27,14 @@ Global
 		{E94D56E5-AAF5-4BF1-B956-BB600F6E1C0C}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{E94D56E5-AAF5-4BF1-B956-BB600F6E1C0C}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{E94D56E5-AAF5-4BF1-B956-BB600F6E1C0C}.Release|Any CPU.Build.0 = Release|Any CPU
+		{4A4136D1-8A7B-4C95-9328-DF7CA4F437C6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{4A4136D1-8A7B-4C95-9328-DF7CA4F437C6}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{4A4136D1-8A7B-4C95-9328-DF7CA4F437C6}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{4A4136D1-8A7B-4C95-9328-DF7CA4F437C6}.Release|Any CPU.Build.0 = Release|Any CPU
+		{A1839AD4-12CE-4C9F-9E46-55F76A0A68DD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{A1839AD4-12CE-4C9F-9E46-55F76A0A68DD}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{A1839AD4-12CE-4C9F-9E46-55F76A0A68DD}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{A1839AD4-12CE-4C9F-9E46-55F76A0A68DD}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

build/pipeline-perf-tests-automation.yaml

@@ -37,6 +37,12 @@ jobs:
       inputs:
         restoreSolution: PerformanceTests.sln
 
+    - task: DotNetCoreCLI@2
+      displayName: 'dotnet restore'
+      inputs:
+        command: 'restore'
+        projects: 'PerformanceTests.sln'
+
     - task: MSBuild@1
       displayName: Build PerformanceTests.sln
       inputs:

build/platform_and_feature_flags.props

@@ -1,6 +1,10 @@
 <Project>
+  <!-- System.Text.Json is used on all target frameworks -->
+  <PropertyGroup>
+    <DefineConstants>$(DefineConstants);SUPPORTS_SYSTEM_TEXT_JSON</DefineConstants>
+  </PropertyGroup>
   <PropertyGroup Condition="'$(TargetFramework)' == '$(TargetFrameworkNetCore)' or '$(TargetFramework)' == '$(TargetFrameworkNet)'">
-    <DefineConstants>$(DefineConstants);SUPPORTS_SYSTEM_TEXT_JSON;NET_CORE;SUPPORTS_CONFIDENTIAL_CLIENT;SUPPORTS_CUSTOM_CACHE;SUPPORTS_BROKER;SUPPORTS_WIN32;</DefineConstants>
+    <DefineConstants>$(DefineConstants);NET_CORE;SUPPORTS_CONFIDENTIAL_CLIENT;SUPPORTS_CUSTOM_CACHE;SUPPORTS_BROKER;SUPPORTS_WIN32;</DefineConstants>
   </PropertyGroup>
   <PropertyGroup Condition="'$(TargetFramework)' == '$(TargetFrameworkNet)' or '$(TargetFramework)' == '$(TargetFrameworkNetDesktop462)' or '$(TargetFramework)' == '$(TargetFrameworkNetDesktop472)' or '$(TargetFramework)' == '$(TargetFrameworkNetStandard)'">
     <DefineConstants>$(DefineConstants);SUPPORTS_OTEL;</DefineConstants>