MSAL 4.76 release op + script to move rows from PublicAPI (#5441)

* MSAL 4.75 release op + script to move rows from PublicAPI

* 1

* 2

* Update CHANGELOG.md

* fix

---------

Co-authored-by: Gladwin Johnson <[email protected]>

Author: bgavrilMS

CHANGELOG.md

@@ -1,3 +1,16 @@
+4.76.0
+======
+
+### New Features
+* Removal of `ExperimentalFeatures` flag on `WithMtlsProofOfPossession` API
+* Add Service Fabric token revocation support
+* Adding WithExtraBodyParameters api
+* Enable mTLS Proof‑of‑Possession for Client‑Assertion Delegates
+
+### Bug Fixes
+* #5400 Fixing issue that leads to multiple active access tokens in the cache for non-tenanted oidc authority 
+* Update NativeInterop package version to 0.19.4 
+
 4.74.1
 ======
 

LibsAndSamples.sln

@@ -46,6 +46,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "all", "all", "{C44AADC0-1E9
 		.editorconfig = .editorconfig
 		.gitattributes = .gitattributes
 		.gitignore = .gitignore
+		CHANGELOG.md = CHANGELOG.md
 		build\CodeCoverage.runsettings = build\CodeCoverage.runsettings
 		build\credscan-exclusion.json = build\credscan-exclusion.json
 		Directory.Build.props = Directory.Build.props

eng/Move-PublicAPI.ps1

@@ -0,0 +1,112 @@
+param(
+    [Parameter(Mandatory = $false)]
+    [string]$Root,
+
+    [switch]$DryRun
+)
+
+<#!
+.SYNOPSIS
+    Moves all APIs from PublicAPI.Unshipped.txt files into the corresponding PublicAPI.Shipped.txt files.
+
+.DESCRIPTION
+    This script scans the repository for files named "PublicAPI.Unshipped.txt" and, for each one found,
+    appends its content to the sibling "PublicAPI.Shipped.txt" file and then clears the unshipped file.
+
+    Run this script every time a release is made to move unshipped API entries to the shipped list.
+
+.PARAMETER Root
+    Optional. The root directory to scan. Defaults to the repository root (one level above the script's folder).
+
+.PARAMETER DryRun
+    Optional. If specified, the script will only report what it would do without making any changes.
+
+.EXAMPLE
+    ./Move-PublicAPI.ps1
+
+.EXAMPLE
+    ./Move-PublicAPI.ps1 -Root C:\g\msal
+
+.EXAMPLE
+    ./Move-PublicAPI.ps1 -DryRun
+#>
+
+Set-StrictMode -Version Latest
+$ErrorActionPreference = 'Stop'
+
+if (-not $PSBoundParameters.ContainsKey('Root') -or [string]::IsNullOrWhiteSpace($Root)) {
+    # Default Root to the repo root (one level above script directory)
+    $Root = (Resolve-Path (Join-Path $PSScriptRoot '..')).Path
+}
+
+Write-Host "Scanning for PublicAPI.Unshipped.txt under: $Root"
+
+# Find all PublicAPI.Unshipped.txt files
+$unshippedFiles = Get-ChildItem -LiteralPath $Root -Recurse -File -Filter 'PublicAPI.Unshipped.txt' -ErrorAction Stop
+
+if (-not $unshippedFiles -or $unshippedFiles.Count -eq 0) {
+    Write-Host 'No PublicAPI.Unshipped.txt files found. Nothing to do.'
+    return
+}
+
+$updatedCount = 0
+
+foreach ($unshipped in $unshippedFiles) {
+    $unshippedPath = $unshipped.FullName
+    $shippedPath = Join-Path $unshipped.DirectoryName 'PublicAPI.Shipped.txt'
+
+    # Read unshipped content
+    $unshippedContent = Get-Content -LiteralPath $unshippedPath -Raw -ErrorAction Stop
+
+    if ([string]::IsNullOrWhiteSpace($unshippedContent)) {
+        Write-Host "Skipping (empty): $unshippedPath"
+        continue
+    }
+
+    # Ensure shipped file exists
+    if (-not (Test-Path -LiteralPath $shippedPath)) {
+        if ($DryRun) {
+            Write-Host "Would create missing shipped file: $shippedPath"
+        }
+        else {
+            New-Item -ItemType File -Path $shippedPath -Force | Out-Null
+        }
+    }
+
+    # Read existing shipped content if any
+    $existingShipped = ''
+    if (Test-Path -LiteralPath $shippedPath) {
+        $existingShipped = Get-Content -LiteralPath $shippedPath -Raw -ErrorAction Stop
+    }
+
+    # Prepare content to append with reasonable separation
+    $toAppend = $unshippedContent.TrimEnd("`r", "`n")
+
+    if (-not [string]::IsNullOrEmpty($existingShipped)) {
+        # Ensure at least one blank line separation between existing shipped content and new additions
+        $needsTrailingNewLine = -not $existingShipped.EndsWith("`n")
+        $separator = if ($needsTrailingNewLine) { "`r`n`r`n" } else { "`r`n" }
+        $toAppend = $separator + $toAppend + "`r`n"
+    }
+    else {
+        # If shipped is empty, just ensure the appended content ends with a newline
+        $toAppend = $toAppend + "`r`n"
+    }
+
+    if ($DryRun) {
+        $movedLines = ($unshippedContent -split "(`r`n|`n|`r)").Where({ $_ -ne '' }).Count
+        Write-Host "Would move $movedLines line(s) from: $unshippedPath"`n"              to: $shippedPath"
+        continue
+    }
+
+    # Append to shipped and clear unshipped
+    Add-Content -LiteralPath $shippedPath -Value $toAppend -Encoding UTF8
+
+    # Clear the unshipped file (leave file present but empty)
+    Set-Content -LiteralPath $unshippedPath -Value '' -NoNewline -Encoding UTF8
+
+    $updatedCount++
+    Write-Host "Moved content from: $unshippedPath"`n"               to: $shippedPath"
+}
+
+Write-Host "Done. Files updated: $updatedCount"

src/client/Microsoft.Identity.Client/PublicApi/net462/PublicAPI.Shipped.txt

@@ -1067,3 +1067,12 @@ Microsoft.Identity.Client.AuthenticationResult.SpaAuthCode.set -> void
 Microsoft.Identity.Client.AuthenticationResult.TenantId.set -> void
 Microsoft.Identity.Client.AuthenticationResult.TokenType.set -> void
 Microsoft.Identity.Client.AuthenticationResult.UniqueId.set -> void
+const Microsoft.Identity.Client.MsalError.InvalidClientAssertion = "invalid_client_assertion" -> string
+Microsoft.Identity.Client.ClientSignedAssertion
+Microsoft.Identity.Client.ClientSignedAssertion.Assertion.get -> string
+Microsoft.Identity.Client.ClientSignedAssertion.Assertion.set -> void
+Microsoft.Identity.Client.ClientSignedAssertion.ClientSignedAssertion() -> void
+Microsoft.Identity.Client.ClientSignedAssertion.TokenBindingCertificate.get -> System.Security.Cryptography.X509Certificates.X509Certificate2
+Microsoft.Identity.Client.ClientSignedAssertion.TokenBindingCertificate.set -> void
+Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.WithClientAssertion(System.Func<Microsoft.Identity.Client.AssertionRequestOptions, System.Threading.CancellationToken, System.Threading.Tasks.Task<Microsoft.Identity.Client.ClientSignedAssertion>> clientSignedAssertionProvider) -> Microsoft.Identity.Client.ConfidentialClientApplicationBuilder
+static Microsoft.Identity.Client.Extensibility.AcquireTokenForClientBuilderExtensions.WithExtraBodyParameters(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, System.Collections.Generic.Dictionary<string, System.Func<System.Threading.CancellationToken, System.Threading.Tasks.Task<string>>> extrabodyparams) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder

src/client/Microsoft.Identity.Client/PublicApi/net462/PublicAPI.Unshipped.txt

@@ -1,9 +0,0 @@
-const Microsoft.Identity.Client.MsalError.InvalidClientAssertion = "invalid_client_assertion" -> string
-Microsoft.Identity.Client.ClientSignedAssertion
-Microsoft.Identity.Client.ClientSignedAssertion.Assertion.get -> string
-Microsoft.Identity.Client.ClientSignedAssertion.Assertion.set -> void
-Microsoft.Identity.Client.ClientSignedAssertion.ClientSignedAssertion() -> void
-Microsoft.Identity.Client.ClientSignedAssertion.TokenBindingCertificate.get -> System.Security.Cryptography.X509Certificates.X509Certificate2
-Microsoft.Identity.Client.ClientSignedAssertion.TokenBindingCertificate.set -> void
-Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.WithClientAssertion(System.Func<Microsoft.Identity.Client.AssertionRequestOptions, System.Threading.CancellationToken, System.Threading.Tasks.Task<Microsoft.Identity.Client.ClientSignedAssertion>> clientSignedAssertionProvider) -> Microsoft.Identity.Client.ConfidentialClientApplicationBuilder
-static Microsoft.Identity.Client.Extensibility.AcquireTokenForClientBuilderExtensions.WithExtraBodyParameters(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, System.Collections.Generic.Dictionary<string, System.Func<System.Threading.CancellationToken, System.Threading.Tasks.Task<string>>> extrabodyparams) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder

src/client/Microsoft.Identity.Client/PublicApi/net472/PublicAPI.Shipped.txt

@@ -1067,3 +1067,12 @@ Microsoft.Identity.Client.AuthenticationResult.SpaAuthCode.set -> void
 Microsoft.Identity.Client.AuthenticationResult.TenantId.set -> void
 Microsoft.Identity.Client.AuthenticationResult.TokenType.set -> void
 Microsoft.Identity.Client.AuthenticationResult.UniqueId.set -> void
+const Microsoft.Identity.Client.MsalError.InvalidClientAssertion = "invalid_client_assertion" -> string
+Microsoft.Identity.Client.ClientSignedAssertion
+Microsoft.Identity.Client.ClientSignedAssertion.Assertion.get -> string
+Microsoft.Identity.Client.ClientSignedAssertion.Assertion.set -> void
+Microsoft.Identity.Client.ClientSignedAssertion.ClientSignedAssertion() -> void
+Microsoft.Identity.Client.ClientSignedAssertion.TokenBindingCertificate.get -> System.Security.Cryptography.X509Certificates.X509Certificate2
+Microsoft.Identity.Client.ClientSignedAssertion.TokenBindingCertificate.set -> void
+Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.WithClientAssertion(System.Func<Microsoft.Identity.Client.AssertionRequestOptions, System.Threading.CancellationToken, System.Threading.Tasks.Task<Microsoft.Identity.Client.ClientSignedAssertion>> clientSignedAssertionProvider) -> Microsoft.Identity.Client.ConfidentialClientApplicationBuilder
+static Microsoft.Identity.Client.Extensibility.AcquireTokenForClientBuilderExtensions.WithExtraBodyParameters(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, System.Collections.Generic.Dictionary<string, System.Func<System.Threading.CancellationToken, System.Threading.Tasks.Task<string>>> extrabodyparams) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder

src/client/Microsoft.Identity.Client/PublicApi/net472/PublicAPI.Unshipped.txt

@@ -1,9 +0,0 @@
-const Microsoft.Identity.Client.MsalError.InvalidClientAssertion = "invalid_client_assertion" -> string
-Microsoft.Identity.Client.ClientSignedAssertion
-Microsoft.Identity.Client.ClientSignedAssertion.Assertion.get -> string
-Microsoft.Identity.Client.ClientSignedAssertion.Assertion.set -> void
-Microsoft.Identity.Client.ClientSignedAssertion.ClientSignedAssertion() -> void
-Microsoft.Identity.Client.ClientSignedAssertion.TokenBindingCertificate.get -> System.Security.Cryptography.X509Certificates.X509Certificate2
-Microsoft.Identity.Client.ClientSignedAssertion.TokenBindingCertificate.set -> void
-Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.WithClientAssertion(System.Func<Microsoft.Identity.Client.AssertionRequestOptions, System.Threading.CancellationToken, System.Threading.Tasks.Task<Microsoft.Identity.Client.ClientSignedAssertion>> clientSignedAssertionProvider) -> Microsoft.Identity.Client.ConfidentialClientApplicationBuilder
-static Microsoft.Identity.Client.Extensibility.AcquireTokenForClientBuilderExtensions.WithExtraBodyParameters(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, System.Collections.Generic.Dictionary<string, System.Func<System.Threading.CancellationToken, System.Threading.Tasks.Task<string>>> extrabodyparams) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder

src/client/Microsoft.Identity.Client/PublicApi/net8.0-android/PublicAPI.Shipped.txt

@@ -1033,3 +1033,12 @@ Microsoft.Identity.Client.AuthenticationResult.SpaAuthCode.set -> void
 Microsoft.Identity.Client.AuthenticationResult.TenantId.set -> void
 Microsoft.Identity.Client.AuthenticationResult.TokenType.set -> void
 Microsoft.Identity.Client.AuthenticationResult.UniqueId.set -> void
+const Microsoft.Identity.Client.MsalError.InvalidClientAssertion = "invalid_client_assertion" -> string
+Microsoft.Identity.Client.ClientSignedAssertion
+Microsoft.Identity.Client.ClientSignedAssertion.Assertion.get -> string
+Microsoft.Identity.Client.ClientSignedAssertion.Assertion.set -> void
+Microsoft.Identity.Client.ClientSignedAssertion.ClientSignedAssertion() -> void
+Microsoft.Identity.Client.ClientSignedAssertion.TokenBindingCertificate.get -> System.Security.Cryptography.X509Certificates.X509Certificate2
+Microsoft.Identity.Client.ClientSignedAssertion.TokenBindingCertificate.set -> void
+Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.WithClientAssertion(System.Func<Microsoft.Identity.Client.AssertionRequestOptions, System.Threading.CancellationToken, System.Threading.Tasks.Task<Microsoft.Identity.Client.ClientSignedAssertion>> clientSignedAssertionProvider) -> Microsoft.Identity.Client.ConfidentialClientApplicationBuilder
+static Microsoft.Identity.Client.Extensibility.AcquireTokenForClientBuilderExtensions.WithExtraBodyParameters(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, System.Collections.Generic.Dictionary<string, System.Func<System.Threading.CancellationToken, System.Threading.Tasks.Task<string>>> extrabodyparams) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder

src/client/Microsoft.Identity.Client/PublicApi/net8.0-android/PublicAPI.Unshipped.txt

@@ -1,9 +0,0 @@
-const Microsoft.Identity.Client.MsalError.InvalidClientAssertion = "invalid_client_assertion" -> string
-Microsoft.Identity.Client.ClientSignedAssertion
-Microsoft.Identity.Client.ClientSignedAssertion.Assertion.get -> string
-Microsoft.Identity.Client.ClientSignedAssertion.Assertion.set -> void
-Microsoft.Identity.Client.ClientSignedAssertion.ClientSignedAssertion() -> void
-Microsoft.Identity.Client.ClientSignedAssertion.TokenBindingCertificate.get -> System.Security.Cryptography.X509Certificates.X509Certificate2
-Microsoft.Identity.Client.ClientSignedAssertion.TokenBindingCertificate.set -> void
-Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.WithClientAssertion(System.Func<Microsoft.Identity.Client.AssertionRequestOptions, System.Threading.CancellationToken, System.Threading.Tasks.Task<Microsoft.Identity.Client.ClientSignedAssertion>> clientSignedAssertionProvider) -> Microsoft.Identity.Client.ConfidentialClientApplicationBuilder
-static Microsoft.Identity.Client.Extensibility.AcquireTokenForClientBuilderExtensions.WithExtraBodyParameters(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, System.Collections.Generic.Dictionary<string, System.Func<System.Threading.CancellationToken, System.Threading.Tasks.Task<string>>> extrabodyparams) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder

src/client/Microsoft.Identity.Client/PublicApi/net8.0-ios/PublicAPI.Shipped.txt

@@ -1035,3 +1035,12 @@ Microsoft.Identity.Client.AuthenticationResult.SpaAuthCode.set -> void
 Microsoft.Identity.Client.AuthenticationResult.TenantId.set -> void
 Microsoft.Identity.Client.AuthenticationResult.TokenType.set -> void
 Microsoft.Identity.Client.AuthenticationResult.UniqueId.set -> void
+const Microsoft.Identity.Client.MsalError.InvalidClientAssertion = "invalid_client_assertion" -> string
+Microsoft.Identity.Client.ClientSignedAssertion
+Microsoft.Identity.Client.ClientSignedAssertion.Assertion.get -> string
+Microsoft.Identity.Client.ClientSignedAssertion.Assertion.set -> void
+Microsoft.Identity.Client.ClientSignedAssertion.ClientSignedAssertion() -> void
+Microsoft.Identity.Client.ClientSignedAssertion.TokenBindingCertificate.get -> System.Security.Cryptography.X509Certificates.X509Certificate2
+Microsoft.Identity.Client.ClientSignedAssertion.TokenBindingCertificate.set -> void
+Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.WithClientAssertion(System.Func<Microsoft.Identity.Client.AssertionRequestOptions, System.Threading.CancellationToken, System.Threading.Tasks.Task<Microsoft.Identity.Client.ClientSignedAssertion>> clientSignedAssertionProvider) -> Microsoft.Identity.Client.ConfidentialClientApplicationBuilder
+static Microsoft.Identity.Client.Extensibility.AcquireTokenForClientBuilderExtensions.WithExtraBodyParameters(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, System.Collections.Generic.Dictionary<string, System.Func<System.Threading.CancellationToken, System.Threading.Tasks.Task<string>>> extrabodyparams) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder