Skip to content

Commit 4cb3ff3

Browse files
committed
Merge branch 'fix/3528-duplicate-msaluirequired-log' of https://github.com/armin-azar/microsoft-identity-web into fix/3528-duplicate-msaluirequired-log
2 parents aabadf3 + 7d2abae commit 4cb3ff3

36 files changed

Lines changed: 1771 additions & 89 deletions

Directory.Build.props

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
<!-- This needs to be greater than or equal to the validation baseline version. The conditional logic around TargetNetNext is there
55
to avoid NU5104 for packing a release version library with prerelease deps. By adding preview to it, that warning is avoided.
66
-->
7-
<MicrosoftIdentityWebVersion Condition="'$(MicrosoftIdentityWebVersion)' == ''">4.12.1</MicrosoftIdentityWebVersion>
7+
<MicrosoftIdentityWebVersion Condition="'$(MicrosoftIdentityWebVersion)' == ''">4.12.2</MicrosoftIdentityWebVersion>
88
<!--This will generate AssemblyVersion, AssemblyFileVersion and AssemblyInformationVersion-->
99
<Version>$(MicrosoftIdentityWebVersion)</Version>
1010
<EnablePackageValidation>true</EnablePackageValidation>

azure-pipelines.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,11 +9,25 @@ pr:
99

1010
jobs:
1111
- job: "PR_build"
12+
variables:
13+
# Load the LabAuth client certificate from the local certificate store
14+
# (installed into LocalMachine/My by template-install-dependencies.yaml)
15+
# instead of the msidlabs KeyVault. Microsoft-hosted agents have no managed
16+
# identity that can read the KeyVault, so DefaultAzureCredential would fail.
17+
# The official OneBranch/Wilson pipeline does not set this and keeps using
18+
# the KeyVault source.
19+
UseLabAuthCertFromStore: true
1220
pool:
1321
vmImage: 'windows-2022'
1422
demands:
1523
- msbuild
1624
- visualstudio
1725
steps:
1826
- template: build/template-install-dependencies.yaml
27+
- template: build/template-build.yaml
1928
- template: build/template-run-unit-tests.yaml
29+
parameters:
30+
# Exclude managed-identity E2E tests: they require an MI assigned to the
31+
# host (IMDS), which Microsoft-hosted agents do not have. They still run in
32+
# the official OneBranch pipeline on VM-based agents that have the MI.
33+
e2eTestFilterCriteria: 'Category!=MI_E2E'

build/template-build.yaml

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
# template-build.yaml
2+
# Restore and build the solution so that the test assemblies exist before
3+
# the VSTest steps run. This is required on Microsoft-hosted (ephemeral)
4+
# agents, which start from a clean workspace with no pre-built output.
5+
6+
steps:
7+
# On ADO agents (TF_BUILD=true) the OWIN project pins Microsoft.IdentityModel
8+
# WsFederation/Saml to 5.7.1, which is only published to the internal IDDP
9+
# Azure Artifacts feed (not nuget.org). Route restore exclusively through IDDP,
10+
# which upstreams nuget.org for all other packages. Credentials are provided by
11+
# the NuGetAuthenticate@1 task that runs earlier in
12+
# template-install-dependencies.yaml. This mirrors
13+
# build/template-restore-build-MSIdentityWeb.yaml.
14+
- powershell: |
15+
$configFile = "$(Build.SourcesDirectory)/NuGet.Config"
16+
$iddpUrl = "https://identitydivision.pkgs.visualstudio.com/_packaging/IDDP/nuget/v3/index.json"
17+
18+
Write-Host "Existing NuGet sources:"
19+
dotnet nuget list source
20+
21+
# Remove the public nuget.org source so restore uses IDDP (with upstream) only.
22+
$existingSources = dotnet nuget list source --format Short
23+
if ($existingSources -match [regex]::Escape("https://api.nuget.org/v3/index.json")) {
24+
Write-Host "Removing public nuget.org source..."
25+
dotnet nuget remove source NuGet --configfile $configFile
26+
if (-not $?) { Write-Error "Failed to remove nuget.org source."; exit 1 }
27+
}
28+
29+
# Add the internal IDDP source if not already present.
30+
$existingSources = dotnet nuget list source --format Short
31+
if ($existingSources -match [regex]::Escape($iddpUrl)) {
32+
Write-Host "IDDP NuGet source already present. Skipping add."
33+
} else {
34+
Write-Host "Adding IDDP NuGet source..."
35+
dotnet nuget add source $iddpUrl -n IDDP --configfile $configFile
36+
if (-not $?) { Write-Error "Failed to add IDDP NuGet source."; exit 1 }
37+
}
38+
39+
Write-Host "Final NuGet sources:"
40+
dotnet nuget list source
41+
displayName: 'Use internal IDDP NuGet feed only'
42+
43+
- task: DotNetCoreCLI@2
44+
displayName: 'Install wasm-tools workload'
45+
inputs:
46+
command: 'custom'
47+
custom: 'workload'
48+
arguments: 'install wasm-tools'
49+
50+
- task: DotNetCoreCLI@2
51+
displayName: 'Build solution (Release)'
52+
inputs:
53+
command: 'custom'
54+
custom: 'msbuild'
55+
arguments: 'Microsoft.Identity.Web.sln -r -t:build -verbosity:m -property:Configuration=Release'

build/template-run-unit-tests.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,15 @@
11
# template-run-unit-tests.yaml
22
# Run all unit tests across the IdWeb project
33

4+
parameters:
5+
# VSTest filter applied to the E2E test run. Empty by default so every consumer
6+
# (e.g. the release build) runs the full E2E suite. The PR build passes a filter
7+
# to exclude tests that cannot run on Microsoft-hosted agents (e.g. managed
8+
# identity tests, which require an MI assigned to the host: Category!=MI_E2E).
9+
- name: e2eTestFilterCriteria
10+
type: string
11+
default: ''
12+
413
steps:
514

615
- task: VSTest@2
@@ -38,6 +47,7 @@ steps:
3847
tests\E2E Tests\TokenAcquirerTests\bin\**\TokenAcquirerTests.dll
3948
tests\E2E Tests\NET 7 tests\IntegrationTests\bin\**\IntegrationTests.dll
4049
searchFolder: '$(System.DefaultWorkingDirectory)'
50+
testFiltercriteria: '${{ parameters.e2eTestFilterCriteria }}'
4151
rerunFailedTests: true
4252
rerunMaxAttempts: '3'
4353
runInParallel: false

changelog.md

Lines changed: 35 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,43 @@
1+
## 4.12.2
2+
3+
### Bug fixes
4+
- Make the `Microsoft.Identity.Client.KeyAttestation` dependency conditional on modern .NET (`.NETCoreApp`) targets. It transitively pulls the native-only `Microsoft.Azure.Security.KeyGuardAttestation` package, which ships no .NET Framework/netstandard-compatible assets and broke NuGet restore for .NET Framework (packages.config) projects. `Microsoft.Identity.Web.Certificateless` now multi-targets, and .NET Framework consumers use the `netstandard2.0` asset without this dependency. See [#3894](https://github.com/AzureAD/microsoft-identity-web/issues/3894).
5+
6+
## 4.12.1
7+
8+
### Bug fixes
9+
- Preserve `ManagedIdentity` when converting `AcquireTokenOptions` to `TokenAcquisitionOptions` in `TokenAcquirer`. Previously the `ITokenAcquirer.GetTokenForAppAsync` / `GetTokenForUserAsync` paths silently dropped `ManagedIdentity` and fell back to the confidential-client path, breaking managed-identity mTLS PoP (e.g. MISE Native). See [#3914](https://github.com/AzureAD/microsoft-identity-web/pull/3914).
10+
11+
### Behavior changes
12+
- **Sidecar: outbound HTTP redirects suppressed by default.** The sidecar no longer follows outbound HTTP redirects; a new opt-in `Sidecar:AllowOutboundRedirects` flag (default `false`) restores the previous behavior. See [#3906](https://github.com/AzureAD/microsoft-identity-web/pull/3906).
13+
- **Sidecar: per-request isolation of downstream API options.** Downstream API options resolved from the singleton `IOptionsMonitor` are now cloned per request (including fresh `ExtraParameters` / `ExtraHeaderParameters` / `ExtraQueryParameters` dictionaries), preventing request-scoped values from leaking across requests or racing under concurrency. See [#3919](https://github.com/AzureAD/microsoft-identity-web/pull/3919).
14+
15+
### Fundamentals
16+
- Build the solution in the PR pipeline before running tests. See [#3911](https://github.com/AzureAD/microsoft-identity-web/pull/3911).
17+
- Restore OWIN 5.7.1 packages from the internal IDDP feed in the PR pipeline. See [#3912](https://github.com/AzureAD/microsoft-identity-web/pull/3912).
18+
- Run the PR pipeline on the Wilson pool so integration/E2E tests can access the lab KeyVault. See [#3913](https://github.com/AzureAD/microsoft-identity-web/pull/3913).
19+
120
## 4.12.0
221

322
### New features
4-
- Implement `IAuthorizationHeaderProvider2` (from `Microsoft.Identity.Abstractions` 12.3.0) on `DefaultAuthorizationHeaderProvider` and the public `BaseAuthorizationHeaderProvider`, exposing the metadata-rich `CreateAuthorizationHeaderInformation*` surface (returning `OperationResult<AuthorizationHeaderInformation, AuthorizationHeaderError>`) with binding-certificate propagation. `DownstreamApi` and `MicrosoftIdentityMessageHandler` now prefer `IAuthorizationHeaderProvider2` for mTLS PoP and soft-deprecate the bound-only `IBoundAuthorizationHeaderProvider` path (kept as a fallback for source/binary compatibility).
23+
- Implement `IAuthorizationHeaderProvider2` (from `Microsoft.Identity.Abstractions` 12.3.0) on `DefaultAuthorizationHeaderProvider` and the public `BaseAuthorizationHeaderProvider`, consolidating all header-creation paths through a single `BuildHeaderInformationAsync` engine and propagating `TokenAcquisitionMetadata` / `AdditionalResponseParameters` onto `AuthorizationHeaderInformation`. `DownstreamApi` and `MicrosoftIdentityMessageHandler` now prefer `IAuthorizationHeaderProvider2` for mTLS PoP. See [#3899](https://github.com/AzureAD/microsoft-identity-web/pull/3899).
24+
25+
### Bug fixes
26+
- Flow the finalized `DownstreamApi` request (headers, query parameters, content, and customizations) to the authorization header provider before the header is created, so request-binding (mTLS PoP / SHR) providers sign the same request state that is sent on the wire. The `Authorization` header is still added after signing. See [#3902](https://github.com/AzureAD/microsoft-identity-web/pull/3902).
27+
28+
### Behavior changes
29+
- **Sidecar: loopback-only access.** Sidecar endpoints are now restricted to loopback callers. See [#3897](https://github.com/AzureAD/microsoft-identity-web/pull/3897).
530

631
### Dependencies updates
7-
- Update `Microsoft.Identity.Abstractions` to 12.3.0.
32+
- Update `Microsoft.Identity.Abstractions` to 12.4.0 and populate the new `TokenAcquisitionMetadata.ExpiresOn` property from MSAL's `AuthenticationResult.ExpiresOn`. See [#3905](https://github.com/AzureAD/microsoft-identity-web/pull/3905).
33+
- Update `Microsoft.Identity.Abstractions` to 12.3.0. See [#3899](https://github.com/AzureAD/microsoft-identity-web/pull/3899).
34+
- Bump `Microsoft.Identity.Client` (MSAL.NET) and `Microsoft.Identity.Client.KeyAttestation` from 4.85.1 to 4.85.2. See [#3896](https://github.com/AzureAD/microsoft-identity-web/pull/3896).
35+
- Upgrade `Microsoft.IdentityModel.Protocols.WsFederation` from 5.5.0 to 5.7.1 for OWIN. See [#3900](https://github.com/AzureAD/microsoft-identity-web/pull/3900).
36+
37+
### Fundamentals
38+
- Post-release housekeeping: move unshipped Public API entries to `PublicAPI.Shipped.txt` for `Microsoft.Identity.Web.TokenAcquisition`. See [#3907](https://github.com/AzureAD/microsoft-identity-web/pull/3907).
39+
- Remove the unused `ConfidentialClientKeyVaultUri` test constant (LabVaultAccessCert cleanup). See [#3898](https://github.com/AzureAD/microsoft-identity-web/pull/3898).
40+
- Use the Microsoft-hosted `windows-2022` pool for the PR pipeline. See [#3908](https://github.com/AzureAD/microsoft-identity-web/pull/3908).
841

942
## 4.11.0
1043

0 commit comments

Comments
 (0)