4.1.0

New Features:

• MSAL.NET now provides options to control the system web browser. From MSAL.NET 4.0.0, you have been able to use the interactive token acquisition with .NET Core, by delegating the sign-in and consent part to the system web browser on your machine. MSAL.NET 4.1, brings improvements to this experience by helping you run a specific browser if you wish, and by giving you ways to decide what to display to the user in case of a successful authentication, and in case of failure. More information about this feature here
• MSAL.NET now supports ClientAssertions. In order to prove their identity, confidential client applications exchange a secret with Azure AD. MSAL.NET 4.1 adds a new capabilities for this advanced scenario: in addition to .WithClientSecret() and .WithCertificate(), it now provides three new methods: .WithSignedAssertion(), .WithClientClaims() and .WithClientAdditionalClaims(). More information on this feature here

Bug Fixes:

• When using the ConfidentialClientApplicationOptions and including, for example Instance = "https://login.microsoftonline.com/", MSAL.NET was concatenating the double-slash. MSAL.NET will now check for a trailing slash and remove it. There is no action needed on the part of the developer. See [#1196] for details.
• When using ADFS 2019, if no login-hint was included in the call, a null ref was thrown. See [#1214] for details.
• On iOS, for certain older auth libraries, sharing the cache with MSAL.NET, there was an issue with null handling in json. The json serializer in MSAL.NET no longer writes values to json for which the values are null, this is especially important for foci_id. See [#1189] and [#1176] for details.
• When using .WithCertificate() and /common/ as the authority in a confidential client flow, the MSAL.NET was creating the aud claim of the client assertion as "https://login.microsoftonline.com/{tenantid}/v2.0". Now, MSAL.NET will honor both a tenant specific authority and common or organizations when creating the aud claim. [#891]
• MSAL.NET will make network calls less often when developers call GetAccountsAsync and AcquireTokenSilent. AAD maintains an instance discovery endpoint which lists environment aliases for each cloud. In order to optimize SSO, MSAL fetches this list and caches it - MSAL has to make a network call even in simple cases like GetAccontsAsync. This improvement bypasses the need for this network call if the environments used are the standard ones. This work is tracked by MSAL issue 1174

4.0.0

4.0.0

New Features:

• MSAL now supports ADFS 2019. You can now connect directly to ADFS 2019. This is especially important if you intend to write an app working with Azure Stack. For more details see ADFS support
• MSAL now provides asynchronous callbacks as part of the ITokenCache interface. See Asynchronous token cache serialization for more information, code snippets, and a link to a sample. MSAL issue 481
• .NET Core now supports interactive authentication. Given that .NET Core does not provide a Web browser control, until MSAL.NET 4.0, the interactive token acquisition was not supported. Starting from this release, you can now use AcquireTokenInteractive with MSAL.NET. For more information and code snippets, see .NET Core now supports interactive auth. MSAL issue

Breaking Changes in 4.0.0

• ITokenCache's responsibility splatted between ITokenCache and ITokenCacheSerializer. In order to enable the async methods you need to use to subscribe to cache events, we have rewritten the non-async ones by calling the async ones. While doing that we splatted the responsibility of the ITokenCache interface between ITokenCache which now contains the methods to subscribe to the cache serialization events, and a new interface ITokenCacheSerializer which exposes the methods that you need to use in the cache serialization events, in order to serialize/deserialize the cache. This API is experimental and may change in future versions of the library without a major version. See more information on the impact here
• Replace TelemetryCallback with TelemetryConfig. Until MSAL.NET 3.0.8, you could subscribe to telemetry by adding a telemetry callback .WithTelemetry(), and then sending to your telemetry pipeline of choice a list of events (which themselves were dictionaries of name, values). From MSAL.NET 4.0, if you want to add telemetry to your application, you need to create a class implementing ITelemetryConfig. MSAL.NET provides such a class (TraceTelemetryConfig) which does not send telemetry anywhere, but uses System.Trace.TraceInformation to trace the telemetry events. You could take it from there and add trace listeners to send telemetry. See Telemetry for more information and code snippets.
• In confidential client applications, MSAL.NET was not returning a URL in the GetAuthorizationRequestUrl flow. MSAL.NET now returns a URL in both overloads of GetAuthorizationRequestUrl. MSAL issues 1193 and issue 1184

Bug Fixes:

• In confidential client applications, MSAL.NET now sends the X5C via AcquireTokenSilent, as it does with AcquireTokenInteractive using the IClientAssertionCertificate overload. Msal issue 1149
• MSAL.NET now correctly handles the X509 cert on .NET Core. MSAL issue 1139
• MSAL.NET now resolves the TeamID in the Keychain Access Group for the default configuration. Keychain sharing groups should be prefixed with the TeamID. Now, if the developer does not explicitly set the keychain access group through the WithIosKeychainSecurityGroup api, MSAL.NET will use the default "com.microsoft.adalcache", appended with the TeamID. Previously the TeamID was not included.MSAL issue 1137

3.0.8

3.0.8

Bug Fixes:

• AcquireTokenSilent sometimes ignored the tenant constraint. If the same user acquired tokens from different tenants, MSAL.NET would return an account, regardless of the tenant. MSAL.NET now returns the token based on the tenant. MSAL issue #1123
• DeserializeMsalV3 on ITokenCache should have the option to clear the in memory cache. DeserializeMsalV3 is currently a merge operation with existing in-memory data. MSAL.NET now has the option to be able to clear the in memory state and then deserialize the content in. MSAL issue #1109

3.0.6-preview

3.0.6-preview

New Features:

• MSAL.NET now creates an HttpClient that uses the AndroidClientHandler for Android 4.1 and higher. See documentation for more information. MSAL issue #1076

Bug Fixes:

• When doing the ADAL.NET fallback from MSAL.NET, MSAL.NET was doing the lookup based on the account.HomeAccountId or requestParameters.LoginHint. In ADAL.NET an account will never have a HomeAccountId (by design), so lookup needs to happen by Account.UserName instead. MSAL.NET issue #1100
• AcquireTokenInteractive would throw a PlatformNotSupportException on NetCore when using CustomWebUI. MSAL.NET no longer throws an exception when using CustomWebUI on NetCore. MSAL issue #1058

3.0.5-preview

3.0.5-preview

Bug Fixes:

• Exception: Failure to parse missing json on first login [MSAL issue #1052](https://github.com/AzureAD/microsoft-authentication-
  library-for-dotnet/issues/1052)
• B2C ROPC support MSAL issue #926
• FOCI is hiding the true cause of refresh token failures MSAL issue #1067

3.0.4-preview

Bug Fixes:

• AcquireTokenInteractive parent param is not intuitive MSAL issue #918

Breaking Changes in 3.0.4-preview

• AcquireTokenInteractive now takes a single parameter - the scopes. A new builder method WithParentActivityOrWindow was introduced for passing in a reference to the UI object that spawns the UI (Activity, Window etc.).

MSAL.NET Version 3.0.3-preview

3.0.3-preview

New Features:

• MSAL now supports custom B2C domains. MSAL issue #1025
• MSAL now initializes an HttpClient with NSUrlSessionHnadler() for iOS 7+. MSAL issue #1019

Breaking Changes in 3.0.3-preview

• The ClientCredential class is obsolete. There is no longer a need for the ClientCredential class to be public. This class has been marked as obsolete. MSAL issue #1007
• The ApiConfig and AppConfig namespaces have been changed to the Microsoft.Identity.Client namespace for discoverability. This provides a better user experience when updating from MSALv2 to MSALv3.0.3x. MSAL issue #1006]
• Deprecate UIParent and move static classes to a more appropriate class (eg IsSystemWebviewAvailable()). MSAL issue #1005
• Move all error codes to MSAL.Error. MSAL issue #1004
• Deprecate the MSALv2 api. Move v2 api methods/properties to the migration aid and remove functionality. MSAL issue #1001
• The Component property is obsolete. MSAL now transmits client app name and version to authorization and token requests. MSAL issue #978

Bug Fixes:

• Interactive login from multiple clouds was failing due to instance discovery, as was GetAccounts. This is now fixed. MSAL issue 1048 and 1030
• MSAL was calling DefaultRequestHeaders which is not thread safe and could result in AcquireTokenSilent being called from multiple places at the same time. MSAL issue #1014
• SourceLink is available again MSAL issue #953

MSAL.NET Version 3.0.2-preview

3.0.2-preview

bug fixes:
UI can hang due to not having proper SynchronizationContext for UI interaction

MSAL.NET Version 3.0.1-preview

3.0.1-preview

New Features:

• Device Code supports both verification_url and verification_uri
• MsalError contains all the error messages
• MsalException and its derived exception can now be serialized to JSON and deserialized
• MSAL.NET for .NET Core moved to .NET Core 2.1.
• At both the app creation and the token acquisition, you can now pass extra query parameters as a string (in addition to a Dictionary<string,string> introduced in MSAL 3.0.0
• MSAL.NET symbols are now published to enable SourceLink support

Breaking Changes in 3.0.1-preview

• AcquireTokenSilent has two overrides that require you to pass-in the account or the loginHint
• SubError property removed from MsalServiceException
• merge removed from ITokenCache's DeserializeXX methods
• WithClaims removed from app creation. it is now available on the AcquireToken methods
• ICustomWebUi.AcquireAuthorizationCodeAsync now takes a cancellation Token

bug fixes:

• When the client id entered is invalid, the error messages can be better
• PublicClientApplicationBuilder.CreateWithApplicationOptions does not respect the audience
• ASWebAuthenticationSession is skipped due to AppCenter build flags

MSAL.NET Version 3.0.0-preview

• For more info on the release, along with code samples, checkout https://aka.ms/msal-net-3x

Breaking changes in MSAL.NET 3:

• UIBehavior was renamed to Prompt (breaking change)
• TokenCacheNotificationArgs now surfaces an ITokenCache instead of a TokenCache. This will allow MSAL.NET to provide, in the future, various token cache implementations.
• TokenCacheExtensions was removed and its methods moved to ITokenCache (this is a binary breaking change, but not a source level breaking change)
• The Serialize and Deserialize methods on TokenCacheExtention (which were serializing/deserializing the cache to the MSAL v2 format) were moved to ITokenCache and renamed SerializeMsaV2 and `DeserializeV2

Changes related to improving app Creation and configuration MSAL issue

• New class ApplicationOptions helps you build an application, for instance, from a configuration file
• New interface IMsalHttpClientFactory to pass-in the HttpClient to use by MSAL.NET to communicate with the endpoints of Microsoft identity platform for developers.
• New classes PublicClientApplicationBuilder and ConfidentialClientApplicationBuilder propose a fluent API to instantiate respectively classes implementing IPublicClientApplication and IConfidentialClientApplication including from configuration files, setting the targetted cloud and audience, but also setting per application logging and telemetry, and setting the HttpClient.
• New delegates TelemetryCallback and TokenCacheCallback can be set at application construction
• New enumerations AadAuthorityAudience and AzureCloudInstance help you writing applications for sovereign and national clouds, and help you choose the audience for your application.

Changes related to improving token acquisition, addressing issues 810, 635, 426, 799 :

• ClientApplicationBase now implements IClientApplicationBase and has new members:
  • AppConfig of new type IAppConfig contains the configuration of the application
  • UserTokenCache of new type ITokenCache contains the user token cache (for both public and confidential client applications for all flows, but AcquireTokenForClient)
    • New fluent API AcquireTokenSilent
• PublicClientApplication and IPublicClientApplication have four new fluent APIs: AcquireTokenByIntegratedWindowsAuth, AcquireTokenByUsernamePassword, AcquireTokenInteractive, AcquireTokenWithDeviceCode.
• ConfidentialClientApplication has new members:
  • AppTokenCache used by AcquireTokenForClient
  • Five new fluent APIs: AcquireTokenByAuthorizationCode, AcquireTokenForClient, AcquireTokenOnBehalfOf, GetAuthorizationRequestUrl, IByRefreshToken.AcquireTokenByRefreshToken
• New extensibility mechanism to enable public client applications to provide, in a secure way, their own browsing experience to let the user interact with the Microsoft identity platform endpoint (advanced). For this, applications need to implement the ICustomWebUi interface and throw MsalCustomWebUiFailedException exceptions in case of failure. This can be useful in the case of platforms which don't have yet a Web browser. For instance, the Visual Studio Feedback tool is an Electron application which uses this mechanism. MSAL issue
• MsalServiceException now surfaces two new properties:
  • CorrelationId which can be useful when you interact with Microsoft support.
  • SubError which indicates more details about why the error happened, including hints on how to communicate with the end user. MSAL issue

Changes related to the token cache:

• New interface ITokenCache contains primitives to serialize and deserialize the token cache and set the delegates to react to cache changes
• New methods SerializeMsalV3 and DeserializeMsalV3 on ITokenCache serialize/deserialize the token cache to a new layout format compatible with other MSAL libraries on Windows/Linux/MacOS.

A few bug fixes:

• Update Xamarin dependencies
• Send client headers to the user realm endpoint