@@ -1272,168 +1272,160 @@ private void NotifyCertificateSelection(
12721272 MergedOptions mergedOptions ,
12731273 ClaimsPrincipal ? userHint )
12741274 {
1275- try
1276- {
1277- // In web API, validatedToken will not be null
1278- SecurityToken ? validatedToken = userHint ? . GetBootstrapToken ( ) ?? _tokenAcquisitionHost . GetTokenUsedToCallWebAPI ( ) ;
1275+ // In web API, validatedToken will not be null
1276+ SecurityToken ? validatedToken = userHint ? . GetBootstrapToken ( ) ?? _tokenAcquisitionHost . GetTokenUsedToCallWebAPI ( ) ;
12791277
1280- // In the case the token is a JWE (encrypted token), we use the decrypted token.
1281- string ? tokenUsedToCallTheWebApi = GetActualToken ( validatedToken ) ;
1282- string ? originalTokenToCallWebApi = tokenUsedToCallTheWebApi ;
1278+ // In the case the token is a JWE (encrypted token), we use the decrypted token.
1279+ string ? tokenUsedToCallTheWebApi = GetActualToken ( validatedToken ) ;
1280+ string ? originalTokenToCallWebApi = tokenUsedToCallTheWebApi ;
12831281
1284- AcquireTokenOnBehalfOfParameterBuilder ? builder = null ;
1285- TokenAcquisitionExtensionOptions ? addInOptions = tokenAcquisitionExtensionOptionsMonitor ? . CurrentValue ;
1282+ AcquireTokenOnBehalfOfParameterBuilder ? builder = null ;
1283+ TokenAcquisitionExtensionOptions ? addInOptions = tokenAcquisitionExtensionOptionsMonitor ? . CurrentValue ;
12861284
1287- // Case of web APIs: we need to do an on-behalf-of flow, with the token used to call the API
1288- if ( tokenUsedToCallTheWebApi != null )
1285+ // Case of web APIs: we need to do an on-behalf-of flow, with the token used to call the API
1286+ if ( tokenUsedToCallTheWebApi != null )
1287+ {
1288+ if ( addInOptions != null && addInOptions . InvokeOnBeforeOnBehalfOfInitializedAsync != null )
12891289 {
1290- if ( addInOptions != null && addInOptions . InvokeOnBeforeOnBehalfOfInitializedAsync != null )
1290+ var oboInitEventArgs = new OnBehalfOfEventArgs
12911291 {
1292- var oboInitEventArgs = new OnBehalfOfEventArgs
1293- {
1294- UserAssertionToken = tokenUsedToCallTheWebApi ,
1295- User = userHint
1296- } ;
1297- await addInOptions . InvokeOnBeforeOnBehalfOfInitializedAsync ( oboInitEventArgs ) . ConfigureAwait ( false ) ;
1298-
1299- if ( oboInitEventArgs . UserAssertionToken != null )
1300- {
1301- tokenUsedToCallTheWebApi = oboInitEventArgs . UserAssertionToken ;
1302- }
1303- }
1292+ UserAssertionToken = tokenUsedToCallTheWebApi ,
1293+ User = userHint
1294+ } ;
1295+ await addInOptions . InvokeOnBeforeOnBehalfOfInitializedAsync ( oboInitEventArgs ) . ConfigureAwait ( false ) ;
13041296
1305- if ( string . IsNullOrEmpty ( tokenAcquisitionOptions ? . LongRunningWebApiSessionKey ) )
1297+ if ( oboInitEventArgs . UserAssertionToken != null )
13061298 {
1307- builder = application
1308- . AcquireTokenOnBehalfOf (
1309- scopes . Except ( _scopesRequestedByMsal ) ,
1310- new UserAssertion ( tokenUsedToCallTheWebApi ) ) ;
1299+ tokenUsedToCallTheWebApi = oboInitEventArgs . UserAssertionToken ;
13111300 }
1312- else
1313- {
1314- string ? sessionKey = tokenAcquisitionOptions ! . LongRunningWebApiSessionKey ;
1315- if ( sessionKey == Abstractions . AcquireTokenOptions . LongRunningWebApiSessionKeyAuto )
1316- {
1317- sessionKey = null ;
1318- }
1301+ }
13191302
1320- builder = ( application as ILongRunningWebApi ) ?
1321- . InitiateLongRunningProcessInWebApi (
1322- scopes . Except ( _scopesRequestedByMsal ) ,
1323- tokenUsedToCallTheWebApi ,
1324- ref sessionKey ) ;
1325- tokenAcquisitionOptions . LongRunningWebApiSessionKey = sessionKey ;
1326- }
1303+ if ( string . IsNullOrEmpty ( tokenAcquisitionOptions ? . LongRunningWebApiSessionKey ) )
1304+ {
1305+ builder = application
1306+ . AcquireTokenOnBehalfOf (
1307+ scopes . Except ( _scopesRequestedByMsal ) ,
1308+ new UserAssertion ( tokenUsedToCallTheWebApi ) ) ;
13271309 }
1328- else if ( ! string . IsNullOrEmpty ( tokenAcquisitionOptions ? . LongRunningWebApiSessionKey ) )
1310+ else
13291311 {
1330- string sessionKey = tokenAcquisitionOptions ! . LongRunningWebApiSessionKey ! ;
1312+ string ? sessionKey = tokenAcquisitionOptions ! . LongRunningWebApiSessionKey ;
1313+ if ( sessionKey == Abstractions . AcquireTokenOptions . LongRunningWebApiSessionKeyAuto )
1314+ {
1315+ sessionKey = null ;
1316+ }
1317+
13311318 builder = ( application as ILongRunningWebApi ) ?
1332- . AcquireTokenInLongRunningProcess (
1319+ . InitiateLongRunningProcessInWebApi (
13331320 scopes . Except ( _scopesRequestedByMsal ) ,
1334- sessionKey ) ;
1321+ tokenUsedToCallTheWebApi ,
1322+ ref sessionKey ) ;
1323+ tokenAcquisitionOptions . LongRunningWebApiSessionKey = sessionKey ;
13351324 }
1325+ }
1326+ else if ( ! string . IsNullOrEmpty ( tokenAcquisitionOptions ? . LongRunningWebApiSessionKey ) )
1327+ {
1328+ string sessionKey = tokenAcquisitionOptions ! . LongRunningWebApiSessionKey ! ;
1329+ builder = ( application as ILongRunningWebApi ) ?
1330+ . AcquireTokenInLongRunningProcess (
1331+ scopes . Except ( _scopesRequestedByMsal ) ,
1332+ sessionKey ) ;
1333+ }
13361334
1337- if ( builder != null )
1338- {
1339- builder . WithSendX5C ( mergedOptions . SendX5C ) ;
1335+ if ( builder != null )
1336+ {
1337+ builder . WithSendX5C ( mergedOptions . SendX5C ) ;
13401338
1341- ClaimsPrincipal ? userForCcsRouting = _tokenAcquisitionHost . GetUserFromRequest ( ) ;
1342- var userTenant = string . Empty ;
1343- if ( userForCcsRouting != null )
1344- {
1345- userTenant = userForCcsRouting . GetTenantId ( ) ;
1346- builder . WithCcsRoutingHint ( userForCcsRouting . GetObjectId ( ) , userTenant ) ;
1347- }
1348- if ( ! string . IsNullOrEmpty ( tenantId ) )
1339+ ClaimsPrincipal ? userForCcsRouting = _tokenAcquisitionHost . GetUserFromRequest ( ) ;
1340+ var userTenant = string . Empty ;
1341+ if ( userForCcsRouting != null )
1342+ {
1343+ userTenant = userForCcsRouting . GetTenantId ( ) ;
1344+ builder . WithCcsRoutingHint ( userForCcsRouting . GetObjectId ( ) , userTenant ) ;
1345+ }
1346+ if ( ! string . IsNullOrEmpty ( tenantId ) )
1347+ {
1348+ builder . WithTenantId ( tenantId ) ;
1349+ }
1350+ else
1351+ {
1352+ if ( ! string . IsNullOrEmpty ( userTenant ) )
13491353 {
1350- builder . WithTenantId ( tenantId ) ;
1354+ builder . WithTenantId ( userTenant ) ;
13511355 }
1352- else
1356+ }
1357+ if ( tokenAcquisitionOptions != null )
1358+ {
1359+ if ( addInOptions != null && addInOptions . InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync != null )
13531360 {
1354- if ( ! string . IsNullOrEmpty ( userTenant ) )
1361+ var eventArgs = new OnBehalfOfEventArgs
13551362 {
1356- builder . WithTenantId ( userTenant ) ;
1357- }
1363+ User = userHint ,
1364+ UserAssertionToken = originalTokenToCallWebApi
1365+ } ;
1366+
1367+ await addInOptions . InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync ( builder , tokenAcquisitionOptions , eventArgs ) . ConfigureAwait ( false ) ;
13581368 }
1359- if ( tokenAcquisitionOptions != null )
1360- {
1361- if ( addInOptions != null && addInOptions . InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync != null )
1362- {
1363- var eventArgs = new OnBehalfOfEventArgs
1364- {
1365- User = userHint ,
1366- UserAssertionToken = originalTokenToCallWebApi
1367- } ;
13681369
1369- await addInOptions . InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync ( builder , tokenAcquisitionOptions , eventArgs ) . ConfigureAwait ( false ) ;
1370- }
1370+ AddFmiPathForSignedAssertionIfNeeded ( tokenAcquisitionOptions , builder ) ;
13711371
1372- AddFmiPathForSignedAssertionIfNeeded ( tokenAcquisitionOptions , builder ) ;
1372+ var dict = MergeExtraQueryParameters ( mergedOptions , tokenAcquisitionOptions ) ;
1373+ if ( dict != null )
1374+ {
1375+ const string assertionConstant = "assertion" ;
1376+ const string subAssertionConstant = "sub_assertion" ;
13731377
1374- var dict = MergeExtraQueryParameters ( mergedOptions , tokenAcquisitionOptions ) ;
1375- if ( dict != null )
1378+ // Special case when the OBO inbound token is composite (for instance PFT)
1379+ if ( dict . ContainsKey ( assertionConstant ) && dict . ContainsKey ( subAssertionConstant ) )
13761380 {
1377- const string assertionConstant = "assertion" ;
1378- const string subAssertionConstant = "sub_assertion" ;
1379-
1380- // Special case when the OBO inbound token is composite (for instance PFT)
1381- if ( dict . ContainsKey ( assertionConstant ) && dict . ContainsKey ( subAssertionConstant ) )
1382- {
1383- string assertion = dict [ assertionConstant ] . value ;
1384- string subAssertion = dict [ subAssertionConstant ] . value ;
1381+ string assertion = dict [ assertionConstant ] . value ;
1382+ string subAssertion = dict [ subAssertionConstant ] . value ;
13851383
1386- // Check assertion and sub_assertion passed from merging extra query parameters to ensure they do not contain unsupported character(s).
1387- CheckAssertionsForInjectionAttempt ( assertion , subAssertion ) ;
1384+ // Check assertion and sub_assertion passed from merging extra query parameters to ensure they do not contain unsupported character(s).
1385+ CheckAssertionsForInjectionAttempt ( assertion , subAssertion ) ;
13881386
1389- builder . OnBeforeTokenRequest ( ( data ) =>
1390- {
1391- // Replace the assertion and adds sub_assertion with the values from the extra query parameters
1392- data . BodyParameters [ assertionConstant ] = assertion ;
1393- data . BodyParameters . Add ( subAssertionConstant , subAssertion ) ;
1394- return Task . CompletedTask ;
1395- } ) ;
1396-
1397- // Remove the assertion and sub_assertion from the extra query parameters
1398- // as they are already handled as body parameters.
1399- dict . Remove ( assertionConstant ) ;
1400- dict . Remove ( subAssertionConstant ) ;
1401- }
1402-
1403- builder . WithExtraQueryParameters ( dict ) ;
1404- }
1405- if ( tokenAcquisitionOptions . ExtraHeadersParameters != null )
1406- {
1407- builder . WithExtraHttpHeaders ( tokenAcquisitionOptions . ExtraHeadersParameters ) ;
1408- }
1409- if ( tokenAcquisitionOptions . CorrelationId != null )
1410- {
1411- builder . WithCorrelationId ( tokenAcquisitionOptions . CorrelationId . Value ) ;
1412- }
1413- builder . WithForceRefresh ( tokenAcquisitionOptions . ForceRefresh ) ;
1414- builder . WithClaims ( tokenAcquisitionOptions . Claims ) ;
1415- var clientClaims = GetClientClaimsIfExist ( tokenAcquisitionOptions ) ;
1416- if ( clientClaims != null )
1417- {
1418- builder . WithExtraClientAssertionClaims ( clientClaims ) ;
1419- }
1420- if ( tokenAcquisitionOptions . PoPConfiguration != null )
1421- {
1422- builder . WithSignedHttpRequestProofOfPossession ( tokenAcquisitionOptions . PoPConfiguration ) ;
1387+ builder . OnBeforeTokenRequest ( ( data ) =>
1388+ {
1389+ // Replace the assertion and adds sub_assertion with the values from the extra query parameters
1390+ data . BodyParameters [ assertionConstant ] = assertion ;
1391+ data . BodyParameters . Add ( subAssertionConstant , subAssertion ) ;
1392+ return Task . CompletedTask ;
1393+ } ) ;
1394+
1395+ // Remove the assertion and sub_assertion from the extra query parameters
1396+ // as they are already handled as body parameters.
1397+ dict . Remove ( assertionConstant ) ;
1398+ dict . Remove ( subAssertionConstant ) ;
14231399 }
1424- }
14251400
1426- return await builder . ExecuteAsync ( tokenAcquisitionOptions != null ? tokenAcquisitionOptions . CancellationToken : CancellationToken . None )
1427- . ConfigureAwait ( false ) ;
1401+ builder . WithExtraQueryParameters ( dict ) ;
1402+ }
1403+ if ( tokenAcquisitionOptions . ExtraHeadersParameters != null )
1404+ {
1405+ builder . WithExtraHttpHeaders ( tokenAcquisitionOptions . ExtraHeadersParameters ) ;
1406+ }
1407+ if ( tokenAcquisitionOptions . CorrelationId != null )
1408+ {
1409+ builder . WithCorrelationId ( tokenAcquisitionOptions . CorrelationId . Value ) ;
1410+ }
1411+ builder . WithForceRefresh ( tokenAcquisitionOptions . ForceRefresh ) ;
1412+ builder . WithClaims ( tokenAcquisitionOptions . Claims ) ;
1413+ var clientClaims = GetClientClaimsIfExist ( tokenAcquisitionOptions ) ;
1414+ if ( clientClaims != null )
1415+ {
1416+ builder . WithExtraClientAssertionClaims ( clientClaims ) ;
1417+ }
1418+ if ( tokenAcquisitionOptions . PoPConfiguration != null )
1419+ {
1420+ builder . WithSignedHttpRequestProofOfPossession ( tokenAcquisitionOptions . PoPConfiguration ) ;
1421+ }
14281422 }
14291423
1430- return null ;
1431- }
1432- catch ( MsalUiRequiredException )
1433- {
1434- // MsalUiRequiredException is already logged by MSAL. Re-logging here would produce duplicates.
1435- throw ;
1424+ return await builder . ExecuteAsync ( tokenAcquisitionOptions != null ? tokenAcquisitionOptions . CancellationToken : CancellationToken . None )
1425+ . ConfigureAwait ( false ) ;
14361426 }
1427+
1428+ return null ;
14371429 }
14381430
14391431 /// <summary>
0 commit comments