Added support for WithArributeTokens

[4gust]

Added support for WithAttributeTokens for CCA acquisition methods

This pull request adds support for specifying attribute tokens in token acquisition requests across multiple authentication flows in the Microsoft Identity Client library. It introduces new WithAttributeTokens methods to the parameter builders for authorization code, client credentials, and on-behalf-of flows, allowing developers to include custom attribute tokens in requests via the attribute_tokens parameter.

The most important changes include:

New API Surface:

• Added WithAttributeTokens(IEnumerable<string> attributeTokens) methods to AcquireTokenByAuthorizationCodeParameterBuilder, AcquireTokenForClientParameterBuilder, and AcquireTokenOnBehalfOfParameterBuilder, enabling the inclusion of attribute tokens in token requests. These methods validate input, join the tokens, and add them to the request body. [1] [2] [3]

• Updated the public API files for all supported frameworks to register the new WithAttributeTokens methods, ensuring they are part of the public API surface.

OAuth2 Parameter Support:

• Added a new constant AttributeTokens to the OAuth2Parameter class for use as the key in the request body parameter.

Fixes #

Testing
Unit test added.

[Copilot]

Pull request overview

Adds support for sending attribute_tokens on confidential-client token requests (auth code, client credentials, and OBO) via new WithAttributeTokens(...) builder APIs, updates the public API baselines, and introduces unit tests validating request-body behavior and (for client credentials) cache partitioning.

Changes:

• Added WithAttributeTokens(IEnumerable<string>) to auth code, client credentials, and OBO parameter builders.
• Introduced OAuth2Parameter.AttributeTokens constant ("attribute_tokens").
• Updated PublicAPI Unshipped baselines across TFMs and added new unit tests.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
tests/Microsoft.Identity.Test.Unit/PublicApiTests/WithAttributeTokensTests.cs	Adds unit coverage for WithAttributeTokens formatting, null validation, and client-credentials caching behavior.
src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenByAuthorizationCodeParameterBuilder.cs	Adds auth-code builder API to attach attribute_tokens to the token request body.
src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs	Adds client-credentials builder API to attach attribute_tokens (via extra body params).
src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenOnBehalfOfParameterBuilder.cs	Adds OBO builder API to attach attribute_tokens to the token request body.
src/client/Microsoft.Identity.Client/OAuth2/OAuthConstants.cs	Adds OAuth2Parameter.AttributeTokens constant.
src/client/Microsoft.Identity.Client/PublicApi/*/PublicAPI.Unshipped.txt	Registers new public API methods for all supported TFMs.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 8 comments.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

[bgavrilMS]

Too much code duplication. No token caching.

[Copilot]

Pull request overview

Copilot reviewed 13 out of 13 changed files in this pull request and generated 10 comments.

[Robbie-Microsoft]

OBO cache-partition limitation is undocumented in the API

The test WithAttributeTokens_OnBehalfOf_SentInRequestBody_Async includes a comment acknowledging that for OBO flows, different attribute-token sets may not coexist side-by-side in the same user token cache partition — meaning a call with tokens {X,Y} can silently evict the cached entry for {A,B}.

This is a significant behavioral footgun that isn't mentioned anywhere in the public XML docs for WithAttributeTokens. Callers expecting per-set cache isolation in OBO flows will be silently broken. The doc should at minimum warn that OBO cache isolation per attribute-token set is not guaranteed and that callers needing strict isolation should use separate ConfidentialClientApplication instances.

[bgavrilMS]

Does this need to be closed @4gust ?

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.

[4gust]

@Robbie-Microsoft Good catch, I have updated the method documentation and added a few tests. I skipped one scenario due to a bug.

I’ve opened a tracking issue here: #5963

[4gust]

@copilot resolve the merge conflicts in this pull request

[Copilot]

OBO cache-partition limitation is undocumented in the API

The test WithAttributeTokens_OnBehalfOf_SentInRequestBody_Async includes a comment acknowledging that for OBO flows, different attribut...

Added the explicit recommendation to use separate IConfidentialClientApplication instances for strict per-set cache isolation in OBO flows in commit 9e3c714. The <remarks> for OBO now reads: "Callers that require strict per-set cache isolation across different attribute-token sets should use separate IConfidentialClientApplication instances."

@copilot resolve the merge conflicts in this pull request

No merge conflicts exist in the branch — the most recent commit (8aa44f7) is already a merge commit that brought in the latest main. git diff --check and a search for conflict markers both returned clean.

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 4 comments.