- Added StoreWithSubjectName credential source. See PR #245.
If you build code with the .NET 10 target framework and get this error:
error CS9260: Feature 'extensions' is not available in C# 13.0. Please use language version 14.0 or greater.make sure you update the LangVersion property in your project to 14 or later.
Made CredentialDescription AOT-compatible for .NET 10+ by using C# 14 extension properties. This is a binary breaking change (though source compatible) for .NET 10+ targets:
- Removes
CertificateandCachedValueas public properties fromCredentialDescriptionwhen targeting .NET 10+ - Adds extension properties with the same names and signatures for .NET 10+, providing property-style access
- Maintains full source compatibility - no code changes required for consumers provided the .NET 10 code is built with C#14 or later.
- Prevents AOT/NativeAOT configuration binding issues with reference-typed properties
- Keeps existing behavior for older target frameworks (netstandard2.0, netstandard2.1, net462, net8.0, net9.0)
Technical details:
- For .NET 10+:
CertificateandCachedValueare implemented as extension properties (not visible to config binders) - For older TFMs:
CertificateandCachedValueremain as regular public properties - LangVersion updated to
14to enable C# 14 extension property syntax - Internal accessor methods (
GetCertificateInternal,SetCertificateInternal, etc.) support extension properties
This enhancement ensures CredentialDescription works seamlessly in AOT/NativeAOT compilation scenarios while maintaining backward compatibility.
- Make CredentialDescription AOT-compatible via C# 14 extension properties (v11.0.0). See PR #238.
- Invalidate _cachedId in all property setters that affect Id computation. See PR #240.
- Add codebase navigation guides and architecture decision records. See PR #241.
Rename IAuthorizationHeaderProvider2 to BoundAuthorizationHeaderProvider. This interface extends IAuthorizationHeaderProvider to create authorization headers with a token which is optionally bound to a certificate (for mTLS Pop). For details, see PR #232
In practice, it's unlikely that this breaking change affects anybody as the renamed interface was new in 9.6.0, and not yet used to the team's knowledge.
- Added new authorization header provider interface
IAuthorizationHeaderProvider2supporting token return with binding certificate, expanding certificate-based authentication scenarios. For details, see PR #223 and PR #228. - In the ID property of CredentialDescription, renamed ClientSecret to RedactedClientSecret to be more precise about what this is. For details, see PR #224.
- Added "Thumbprint" to the ID property in CredentialDescription, enhancing traceability for credentials. For details, see PR #212.
- Updated support to .NET 10 GA, ensuring compatibility and access to latest platform features. For details, see PR #226.
- Upgraded GitHub Actions workflows to v5 for both checkout and setup-dotnet, improving CI reliability and consistency. For details, see PR #222.
- Synchronized README.md diagrams with the current public API surface to keep documentation up to date. See PR #220.
- Fixed tests affected by recent internal changes. See PR #221.
- Expand Authorization header to support binding certificate for mTLS scenarios. For Details see #209
- Migrate repository agent rules from .clinerules to agents.md. For details, see #206
- Update to .NET 10 RC 1 (10.0.100-rc.1.25451.107) with explicit SDK version.
- Updated GitHub Actions workflow to use explicit .NET 10 RC 1 SDK version instead of wildcard
- Updated Azure DevOps pipeline template to use explicit .NET 10 RC 1 SDK version
- Verified compatibility with .NET 10 RC 1 breaking changes
- Add AdditionalResponseParameters and BindingCertificate to AcquireTokenResult. For details see PR 203
- Add conditional targeting for NET 10. See PR 202
- Add enum value for managed certificate in SourceType. For details, see PR 204
Thanks @tlupes made your first contribution in #204
Added a new interface IAuthenticationSchemeInformationProvider to get the effective authentication scheme corresponding to an option name, depending on the platform. For details, see PR #200
-
OperationResult and OperationError abstractions: Introduced a new
OperationResult<TResult, TError>struct andOperationErrorbase class. These provide a discriminated union for representing either a result or an error, improving error handling and propagation. See implementation insrc/Microsoft.Identity.Abstractions/Results/OperationResult.csandOperationError.cs. -
DownstreamApiOptions extensibility: Added two new properties to
DownstreamApiOptions:ExtraHeaderParameters(IDictionary<string, string>?): Set extra headers in HTTP requests to downstream APIs.ExtraQueryParameters(IDictionary<string, string>?): Set extra query parameters in HTTP requests to downstream APIs. This enables more flexible API calls and improved integration scenarios.
-
Development guidelines and Copilot integration:
- Introduced
.clinerules/abstractions-guidelines.md,.clinerules/csharp-guidelines.md,.clinerules/ai-guidelines.md, and.github/copilot-instructions.mdto formalize and document development, AI assistant, and C# code standards for contributors and tooling. - Solution file and README updated to reference these guidelines.
- Introduced
-
Analyzer and dependency updates:
- Bumped analyzer versions in
Directory.Build.propsfor better static analysis (BannedApiAnalyzers and MicrosoftCodeAnalysisPublicApiAnalyzers updated from 3.3.4 to 4.14.0).
- Bumped analyzer versions in
- Add a new generic IAuthorizationHeaderProvider to have the possiblity of returning authorization header and metadata or error instead of throwing. For details see #172
- Add Algorithm property to CredentialDescription to describe signing credentials. For details see #182
- Adding serializer for CredentialDescription in .NET 8+. See #176
- Add dev container to work in Code Spaces. See PR #175
- Adding a doc about CredentialDescription. See PR #181
- Fixing AoT warnings: part 1 - non breaking. See PR #187
- update Readme.md to explain the support policy for the library and the notion of LTS. See PRs 171, 183, , 185
- Added a new class named
MicrosoftEntraApplicationOptionsinheriting fromIdentityApplicationOptionsand from whichMicrosoftIdentityApplicationOptionsinherits. Moved the EntraID specific properties related to web APIs fromMicrosoftIdentityApplicationOptionstoMicrosoftEntraApplicationOptions.MicrosoftIdentityApplicationOptionsnow only contains the properties related to web apps and B2C. See #165 for details. - Added a
Nameproperty inMicrosoftEntraApplicationOptionsto allow for dynamic discovery of ASP.NET Core authentication schemes / named options. See #168 for details. - Changed the way the ID property is computed in ClientCredentials. All sensitive data is also now replaced by a hash. See #163 for details.
- Added XML comments with recommendations on which CredentialSource not to use in production. See #167 for details.
- To support Federated Managed Identities a new parameter
FmiPathwas added toAcquireTokenOptions. See #161 for details.
**
- To support certain Federation identity cases, you need to add an additional parameter called
TokenExchangeAuthority. This parameter is necessary when the issuer (the entity that issues the token) for the token exchange URL is different from the application's issuer. See #155 for details. - Added a new interface
ICustomSignedAssertionProviderfor implementing custom signed assertion providers. This interface includes aNameproperty for configuration-friendly naming. See issue #153 for details. - Added extensibility to the
CredentialDescriptionclass to support custom signed assertion providers. This includes new propertiesCustomSignedAssertionProviderNameandCustomSignedAssertionProviderData. See issue #146 for details.
- Removed the Container and ValueOrReference from the public API of CredentialDescription. They were technical debt used for compatibility with Microsoft.Identity.Web 1.x, no longer necessary. See PR #151 for details.
Idproperty inCredentialDescriptionwas derived from secret values, primarily affecting logging (information level) of credential attempts inMicrosoft.Identity.Web, it doesn't affect higher log levels because if the failure occurs, it indicates that a credential description has both a credential source that can fail (e.g., certificate) and theClientSecretproperty set, which is not a typical scenario. See issue #147 for details.
- Add
AppHomeTenantIdtoMicrosoftIdentityApplicationOptionsto allow multi-tenant applications to specify theAppHomeTenantIdto be used for client credentials. See PR #142 and Id Web for details.
- Add support for internal Microsoft services for token acquisition extensibility. See issue #135 for details.
- Add publicAPI, bannedAPI and Async analyzers. See issue #136 for details.
- Fix compiler warnings. See issue #137 for details.
- Extends the 'IDownstreamApi' interface to include overrides with
JsonTypeInfo<T>parameters for source generated JSON serialization. See PR for details.
- Updates the 'IAuthorizationHeaderProvider' interface to include a new method 'GetAuthorizationHeaderAsync'. See issue #130 for details.
- Added two new properties
AcceptHeaderandContentTypetoDownstreamApiOptionsclass. See issue #123 for details.
- Fix file path for xml comment. See issue #117 for details.
- Added a
TokenExchangeUrlto the CredentialDescription class.
- Created a new ManagedIdentityOptions class.
- Added a 'ManagedIdentity' property to the AcquireTokenOptions class. See #115 for details.
-
Introduce a unique identifier for a CredentialDescription object. See PR for details.
-
Change
AuthorizationHeaderProviderOptionsto use astringinstead ofHttpMethod. See PR for details. This is a breaking change, but shouldn't affect you if you are using the configuration. -
Add integrated API compatibility. See PR for details.
- New
Idproperty on CredentialDescription. See PR for details
- Use Assembly Reference instead of PackageReference. See PR for details.
- Add
RequiresUnreferencedCodeattribute toIDownstreamApiandIDownstreamApiHttpMethods. See #82 for details.
- Add
ExtraQueryParameterstoAcquireTokenOptions. See pr for details.
- Re-add support for net462.
- Rename
JwtClaimtoPopClaiminAcquireTokenOptions. See issue #74 for details. - Remove support for net462.
- Support a credential description for auto decrypt keys. See issue #65 for details.
- Add
JwtClaimtoAquireTokenOptions. See issue [#67](Support a credential description for auto decrypt keys/microsoft-identity-abstractions-for-dotnet/issues/67) for details.
- Rename
CallAsynctoCallApiAsync
- Rename DownstreamRestApi to DownstreamApi.
- Fixes 54
- Releasing non-preview version
- New property
TokenTypeon AcquireTokenResult. - ApplicationAuthenticationOptions renamed to IdentityApplicationOptions, and MicrosoftAuthenticationOptions to MicrosoftIdentityApplicationOptions
- Removed ITokenAcquirerFactory.GetTokenAcquirer(string authority, string clientId, System.Collections.Generic.IEnumerable clientCredentials, string? region), as the same is doable with GetTokenAcquirer(IdentityApplicationOptions identityApplicationOptions)
- Added helpers to IDownstreamRestApi for each of the Http methods.
- Split DownstreamRestApiOptions into AuthorizationHeaderProviderOptions (now used in IAuthorizationHeaderProvider), and DownstreamRestApiOptions, which adds the scopes. A new derived class DownstreamRestApiOptionsReadOnlyHttpMethod enables a better developer experience in the IDownstreamWebApi methods which names starts with an HttpMethod (no confusion and risk to change the HTTP method in the delegate)
- Adding extensibility for credentials: see #30
- Remove param from Interface.
- CorrelationId should be a string and not a GUID. See issue for details.
- Rename
AuthenticationOptionstoApplicationAuthenticationOptions.
- Remove the default region.
Initial release of Microsoft.Identity.Abstractions which brings interfaces and POCO classes used in all the Microsoft .NET authentication libraries provided by Identity and Network Access (IDNA) see ReadME.md for details.