Added support for WithArributeTokens

[4gust]

Added support for WithAttributeTokens for CCA acquisition methods

This pull request adds support for specifying attribute tokens in token acquisition requests across multiple authentication flows in the Microsoft Identity Client library. It introduces new WithAttributeTokens methods to the parameter builders for authorization code, client credentials, and on-behalf-of flows, allowing developers to include custom attribute tokens in requests via the attribute_tokens parameter.

The most important changes include:

New API Surface:

• Added WithAttributeTokens(IEnumerable<string> attributeTokens) methods to AcquireTokenByAuthorizationCodeParameterBuilder, AcquireTokenForClientParameterBuilder, and AcquireTokenOnBehalfOfParameterBuilder, enabling the inclusion of attribute tokens in token requests. These methods validate input, join the tokens, and add them to the request body. [1] [2] [3]

• Updated the public API files for all supported frameworks to register the new WithAttributeTokens methods, ensuring they are part of the public API surface.

OAuth2 Parameter Support:

• Added a new constant AttributeTokens to the OAuth2Parameter class for use as the key in the request body parameter.

Fixes #

Testing
Unit test added.

[Copilot]

Pull request overview

Adds support for sending attribute_tokens on confidential-client token requests (auth code, client credentials, and OBO) via new WithAttributeTokens(...) builder APIs, updates the public API baselines, and introduces unit tests validating request-body behavior and (for client credentials) cache partitioning.

Changes:

• Added WithAttributeTokens(IEnumerable<string>) to auth code, client credentials, and OBO parameter builders.
• Introduced OAuth2Parameter.AttributeTokens constant ("attribute_tokens").
• Updated PublicAPI Unshipped baselines across TFMs and added new unit tests.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
tests/Microsoft.Identity.Test.Unit/PublicApiTests/WithAttributeTokensTests.cs	Adds unit coverage for WithAttributeTokens formatting, null validation, and client-credentials caching behavior.
src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenByAuthorizationCodeParameterBuilder.cs	Adds auth-code builder API to attach attribute_tokens to the token request body.
src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs	Adds client-credentials builder API to attach attribute_tokens (via extra body params).
src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenOnBehalfOfParameterBuilder.cs	Adds OBO builder API to attach attribute_tokens to the token request body.
src/client/Microsoft.Identity.Client/OAuth2/OAuthConstants.cs	Adds OAuth2Parameter.AttributeTokens constant.
src/client/Microsoft.Identity.Client/PublicApi/*/PublicAPI.Unshipped.txt	Registers new public API methods for all supported TFMs.

[Copilot]

There are tests verifying request-body formatting and cache-key partitioning for client-credentials, but nothing validating cache behavior for OBO (which does read from cache by default). Add a unit test that makes two OBO requests with the same scopes/assertion but different attribute tokens and asserts the second does not return a cache hit (and that two distinct AT entries are stored).

[Copilot]

AcquireTokenOnBehalfOf looks up access tokens in the cache before sending the token request, but WithAttributeTokens only adds attribute_tokens to the request body. This means requests with different attribute tokens can incorrectly hit the same cached access token and return a token minted for a different set of attribute tokens. Add the joined attribute tokens to the request cache key components as well (e.g., via WithAdditionalCacheKeyComponents).

[Copilot]

The XML docs say WithAttributeTokens throws when attributeTokens is null or contains no elements, but the implementation only checks for null. Passing an empty enumerable results in attribute_tokens being set to an empty string. Either validate non-empty input (and ideally non-null/non-whitespace tokens) or adjust the documentation/behavior.

[Copilot]

The XML docs say WithAttributeTokens throws when attributeTokens is null or contains no elements, but the implementation only checks for null. An empty enumerable will result in attribute_tokens being sent as an empty string. Either validate non-empty input (and ideally non-null/non-whitespace tokens) or adjust the docs/behavior.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 8 comments.

[Copilot]

Null checks in new code should use pattern matching (attributeTokens is null) per repo guidelines (avoid == null).

Suggested change

	if (attributeTokens == null)
	if (attributeTokens is null)

[Copilot]

WithAttributeTokens currently only checks for null, but the XML docs say it throws when the sequence is null or contains no elements. As implemented, an empty sequence results in an empty attribute_tokens value being sent (and tokens that are null/whitespace can produce extra spaces). Validate that there is at least one non-empty token (and trim/filter as needed) or update the XML docs to match the actual behavior.

[Copilot]

The null check uses attributeTokens == null, but repo guidelines prefer pattern matching (attributeTokens is null) for null checks. Please update this (and any similar new checks) for consistency.

Suggested change

	if (attributeTokens == null)
	if (attributeTokens is null)

[Copilot]

This new file includes using System.Net.Http; but all HttpMethod usage is fully-qualified (System.Net.Http.HttpMethod.Post), so the using is unused and will generate warnings in builds with analyzers enabled. Remove the unused using or use the imported type consistently.

Suggested change

using System.Net.Http;

[Copilot]

WithAttributeTokens adds attribute_tokens to the request body, but it does not add it to CommonParameters.CacheKeyComponents. Because MSAL filters cached access tokens by additional key components, tokens acquired with different attribute tokens can be mixed in cache. Add attribute_tokens as an additional cache key component (similar to other cache-key-sensitive parameters).

[Copilot]

Like the auth-code builder, this adds attribute_tokens to the body but does not add it to CommonParameters.CacheKeyComponents. This can cause cached tokens for different attribute tokens to be treated as equivalent. Add attribute_tokens as an additional cache key component so cache lookups are correctly partitioned.

Suggested change

	CommonParameters.CacheKeyComponents.Add(
	new KeyValuePair<string, string>(OAuth2Parameter.AttributeTokens, joinedTokens));

[Copilot]

The OnBeforeTokenRequest handler is async but only awaits Task.CompletedTask, which is redundant. Return Task.CompletedTask directly to avoid an unnecessary async state machine allocation.

Suggested change

	this.OnBeforeTokenRequest(async (data) =>
	{
	data.BodyParameters.Add(OAuth2Parameter.AttributeTokens, joinedTokens);
	await Task.CompletedTask.ConfigureAwait(false);
	this.OnBeforeTokenRequest((data) =>
	{
	data.BodyParameters.Add(OAuth2Parameter.AttributeTokens, joinedTokens);
	return Task.CompletedTask;

[Copilot]

Null checks in new code should use pattern matching (attributeTokens is null) per repo guidelines (avoid == null).

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

[Copilot]

WithAttributeTokens currently only adds attribute_tokens to CacheKeyComponents and never adds it to the token request body. As written, no attribute_tokens form parameter will be sent despite the XML doc stating it will. Consider using the same pattern as WithAttributes (e.g., hook OnBeforeTokenRequest / WithExtraBodyParameters) so the parameter is actually included in the POST body (and kept in the cache key).

Suggested change

	// Ensure attribute_tokens is also sent as a form parameter in the token request body.
	if (CommonParameters.ExtraBodyParameters == null)
	{
	CommonParameters.ExtraBodyParameters = new Dictionary<string, string>();
	}
	CommonParameters.ExtraBodyParameters[OAuth2Parameter.AttributeTokens] = joinedTokens;

[Copilot]

This method enumerates attributeTokens once to check for any items and then enumerates it again in string.Join. If the caller passes a single-use enumerable (or an expensive iterator), the join can produce incorrect results or incur unnecessary work. Buffer the tokens into a list/array once and validate/count based on that collection.

[bgavrilMS]

Should this be added to the base class ?

[bgavrilMS]

There is a lot of duplicate code between these methods. In fact all 3 implemenations are different and 2 of them are wrong.

[bgavrilMS]

MSAL should be tollerant to null arguments. Just no-op. This provides a better dev ex.

[4gust]

updated

[bgavrilMS]

Will there be enough logging if we go with this approach?

[bgavrilMS]

Too much code duplication. No token caching.

[Copilot]

Pull request overview

Copilot reviewed 13 out of 13 changed files in this pull request and generated 10 comments.

[Copilot]

PublicAPI.Unshipped.txt includes API entries that already exist in PublicAPI.Shipped.txt (e.g., AcquireTokenByUserFederatedIdentityCredential*). Unshipped files should only contain newly introduced APIs; please remove the duplicated shipped entries and keep only the new WithAttributeTokens lines.

Suggested change

	Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder
	Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder.WithForceRefresh(bool forceRefresh) -> Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder
	Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder.WithSendX5C(bool withSendX5C) -> Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder
	Microsoft.Identity.Client.IByUserFederatedIdentityCredential
	Microsoft.Identity.Client.IByUserFederatedIdentityCredential.AcquireTokenByUserFederatedIdentityCredential(System.Collections.Generic.IEnumerable<string> scopes, string username, string assertion) -> Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder

[Copilot]

PublicAPI.Unshipped.txt includes API entries that already exist in PublicAPI.Shipped.txt (e.g., AcquireTokenByUserFederatedIdentityCredential*). Unshipped files should only contain newly introduced APIs; please remove the duplicated shipped entries and keep only the new WithAttributeTokens lines.

Suggested change

	Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder
	Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder.WithForceRefresh(bool forceRefresh) -> Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder
	Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder.WithSendX5C(bool withSendX5C) -> Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder
	Microsoft.Identity.Client.IByUserFederatedIdentityCredential
	Microsoft.Identity.Client.IByUserFederatedIdentityCredential.AcquireTokenByUserFederatedIdentityCredential(System.Collections.Generic.IEnumerable<string> scopes, string username, string assertion) -> Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder

[Copilot]

PublicAPI.Unshipped.txt includes API entries that already exist in PublicAPI.Shipped.txt (e.g., AcquireTokenByUserFederatedIdentityCredential*). Unshipped files should only contain newly introduced APIs; please remove the duplicated shipped entries and keep only the new WithAttributeTokens lines.

Suggested change

	Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder
	Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder.WithForceRefresh(bool forceRefresh) -> Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder
	Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder.WithSendX5C(bool withSendX5C) -> Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder
	Microsoft.Identity.Client.IByUserFederatedIdentityCredential
	Microsoft.Identity.Client.IByUserFederatedIdentityCredential.AcquireTokenByUserFederatedIdentityCredential(System.Collections.Generic.IEnumerable<string> scopes, string username, string assertion) -> Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder

[Copilot]

PublicAPI.Unshipped.txt includes API entries that already exist in PublicAPI.Shipped.txt (e.g., AcquireTokenByUserFederatedIdentityCredential*). Unshipped files should only contain newly introduced APIs; please remove the duplicated shipped entries and keep only the new WithAttributeTokens lines.

Suggested change

	Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder
	Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder.WithForceRefresh(bool forceRefresh) -> Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder
	Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder.WithSendX5C(bool withSendX5C) -> Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder
	Microsoft.Identity.Client.IByUserFederatedIdentityCredential
	Microsoft.Identity.Client.IByUserFederatedIdentityCredential.AcquireTokenByUserFederatedIdentityCredential(System.Collections.Generic.IEnumerable<string> scopes, string username, string assertion) -> Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder

[Copilot]

PublicAPI.Unshipped.txt includes API entries that already exist in PublicAPI.Shipped.txt (e.g., AcquireTokenByUserFederatedIdentityCredential*). Unshipped files should only contain newly introduced APIs; please remove the duplicated shipped entries and keep only the new WithAttributeTokens lines.

Suggested change

	Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder
	Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder.WithForceRefresh(bool forceRefresh) -> Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder
	Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder.WithSendX5C(bool withSendX5C) -> Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder
	Microsoft.Identity.Client.IByUserFederatedIdentityCredential
	Microsoft.Identity.Client.IByUserFederatedIdentityCredential.AcquireTokenByUserFederatedIdentityCredential(System.Collections.Generic.IEnumerable<string> scopes, string username, string assertion) -> Microsoft.Identity.Client.AcquireTokenByUserFederatedIdentityCredentialParameterBuilder

[Copilot]

WithAttributeTokensInternal adds attribute_tokens to WithAdditionalCacheKeyComponents(...). For user token flows like AcquireTokenByAuthorizationCode, this will cache access tokens under an extended cache key, but AcquireTokenSilent has no way to specify the same cache-key components. If a user ends up with both a “normal” token and an “attribute_tokens” token for the same account+scopes, silent cache lookup will see multiple candidates and throw MultipleTokensMatchedError. Consider either (1) adding a corresponding WithAttributeTokens API to AcquireTokenSilent (so callers can disambiguate) or (2) not including attribute_tokens in additional cache key components for flows that rely on AcquireTokenSilent.

[4gust]

@copilot apply changes based on this feedback

[Copilot]

Pull request overview

Copilot reviewed 13 out of 13 changed files in this pull request and generated 6 comments.

[Copilot]

The ArgumentException message includes the (trimmed) attribute token value. Since these are called "tokens" they may be sensitive; embedding them in exception messages risks leaking secrets/PII via logs/telemetry. Prefer a generic message (optionally include the index/count) and avoid echoing the token value.

Suggested change

	foreach (string token in attributeTokens)
	{
	if (!string.IsNullOrWhiteSpace(token))
	{
	string trimmed = token.Trim();
	if (trimmed.IndexOfAny(new[] { ' ', '\t', '\n', '\r' }) >= 0)
	{
	throw new ArgumentException(
	$"Attribute tokens must not contain whitespace. Invalid token: '{trimmed}'",
	int tokenIndex = -1;
	foreach (string token in attributeTokens)
	{
	tokenIndex++;
	if (!string.IsNullOrWhiteSpace(token))
	{
	string trimmed = token.Trim();
	if (trimmed.IndexOfAny(new[] { ' ', '\t', '\n', '\r' }) >= 0)
	{
	throw new ArgumentException(
	$"Attribute tokens must not contain whitespace. Invalid token index: {tokenIndex}.",

[Copilot]

Whitespace validation only checks for ' ', '\t', '\n', '\r'. This does not cover all Unicode whitespace characters (e.g., non‑breaking space), so tokens containing other whitespace will slip through despite the docs saying "must not contain whitespace". Consider using char.IsWhiteSpace-based validation to enforce the contract consistently.

Suggested change

	if (trimmed.IndexOfAny(new[] { ' ', '\t', '\n', '\r' }) >= 0)
	if (trimmed.Any(char.IsWhiteSpace))

[Copilot]

WithAttributeTokensInternal adds attribute_tokens into CacheKeyComponents via WithExtraBodyParametersInternal, which stores access tokens with AdditionalCacheKeyComponents. Callers that later acquire tokens without specifying attribute tokens (e.g., AcquireTokenSilent, or an OBO call without WithAttributeTokens) will not set requestParams.CacheKeyComponents, so cache lookup will not filter by these components and can throw multiple_matching_tokens_detected if both token variants exist for the same account/scopes. To avoid this, either (1) add a corresponding WithAttributeTokens API to AcquireTokenSilentParameterBuilder (so callers can disambiguate), or (2) avoid partitioning user-flow tokens by attribute_tokens via additional cache key components and handle it another way (e.g., request-body-only, or a different cache strategy).

Suggested change

	var extraBodyParams = new Dictionary<string, Func<CancellationToken, Task<string>>>
	{
	{ OAuth2Parameter.AttributeTokens, _ => Task.FromResult(joinedTokens) }
	};
	builder.WithExtraBodyParametersInternal(extraBodyParams);
	builder.CommonParameters.ExtraBodyParameters ??= new Dictionary<string, Func<CancellationToken, Task<string>>>();
	builder.CommonParameters.ExtraBodyParameters[OAuth2Parameter.AttributeTokens] = _ => Task.FromResult(joinedTokens);

[Copilot]

These "Null_NoOp" tests set ExpectedPostData to an empty dictionary, which doesn't assert that attribute_tokens is actually absent (the mock only checks presence of expected keys). Consider also setting UnExpectedPostData for OAuth2Parameter.AttributeTokens to ensure WithAttributeTokens(null) truly behaves as a no-op.

Suggested change

	ExpectedPostData = new Dictionary<string, string>()
	ExpectedPostData = new Dictionary<string, string>(),
	UnExpectedPostData = new Dictionary<string, string>()
	{
	{ OAuth2Parameter.AttributeTokens, null }
	}

[Copilot]

This assertion expects the exception message to contain the invalid token value ("invalid token"). If the token value is sensitive, tests should not enforce echoing it in exception messages. Prefer asserting on a stable, non-sensitive part of the message (and/or the parameter name) instead.

Suggested change

Assert.Contains("invalid token", ex.Message);

[Copilot]

Same as the OBO null test: using an empty ExpectedPostData doesn't verify that attribute_tokens is not sent. Add UnExpectedPostData for OAuth2Parameter.AttributeTokens (or otherwise assert absence) so the test fails if the parameter is accidentally included.

Suggested change

	ExpectedPostData = new Dictionary<string, string>()
	ExpectedPostData = new Dictionary<string, string>(),
	UnExpectedPostData = new Dictionary<string, string>()
	{
	{ OAuth2Parameter.AttributeTokens, null }
	}