ID.Web.MicrosoftGraph now eferences Id.Web.TokenAcqusition (and not Id.Web)

src/Directory.Build.props

@@ -84,7 +84,7 @@
   </PropertyGroup>
 
   <PropertyGroup Label="Common dependency versions">
-    <IdentityModelVersion>6.20.0</IdentityModelVersion>
+    <IdentityModelVersion>6.21.0</IdentityModelVersion>
     <MicrosoftIdentityClientVersion>4.42.0</MicrosoftIdentityClientVersion>
     <FxCopAnalyzersVersion>3.3.0</FxCopAnalyzersVersion>
     <SystemTextEncodingsWebVersion>4.7.2</SystemTextEncodingsWebVersion>

src/Microsoft.Identity.Web.MicrosoftGraph/Microsoft.Identity.Web.MicrosoftGraph.csproj

@@ -20,7 +20,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <ProjectReference Include="..\Microsoft.Identity.Web\Microsoft.Identity.Web.csproj" />
+    <ProjectReference Include="..\Microsoft.Identity.Web.TokenAcquisition\Microsoft.Identity.Web.TokenAcquisition.csproj" />
   </ItemGroup>
 
   <PropertyGroup>

src/Microsoft.Identity.Web.MicrosoftGraphBeta/Microsoft.Identity.Web.MicrosoftGraphBeta.csproj

@@ -28,7 +28,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <ProjectReference Include="..\Microsoft.Identity.Web\Microsoft.Identity.Web.csproj" />
+    <ProjectReference Include="..\Microsoft.Identity.Web.TokenAcquisition\Microsoft.Identity.Web.TokenAcquisition.csproj" />
   </ItemGroup>
 
 </Project>

src/Microsoft.Identity.Web.TokenAcquisition.Abstractions/ApplicationOptions/AuthenticationOptions.cs

@@ -59,6 +59,31 @@ public bool HasClientCredentials
         ///   </example>
         public IEnumerable<CredentialDescription>? ClientCredentials { get; set; }
 
+
+        /// <summary>
+        /// Specifies if the x5c claim (public key of the certificate) should be sent to the STS.
+        /// Sending the x5c enables application developers to achieve easy certificate rollover in Azure AD:
+        /// this method will send the public certificate to Azure AD along with the token request,
+        /// so that Azure AD can use it to validate the subject name based on a trusted issuer policy.
+        /// This saves the application admin from the need to explicitly manage the certificate rollover
+        /// (either via the app registration portal or using PowerShell/CLI). 
+        /// For details see https://aka.ms/msal-net-sni.
+        /// </summary>
+        /// The default is <c>false</c>.
+        public bool SendX5C { get; set; }
+
+        /// <summary>
+        /// If set to <c>true</c>, when the user signs-in in a web app, the application Requests an auth code 
+        /// for the frontend (single page application using MSAL.js for instance). This will allow the front end
+        /// JavaScript code to bypass going to the authoriize endpoint (which requires reloading the page), by 
+        /// directly redeeming the auth code to get access tokens to call APIs.
+        /// See https://aka.ms/msal-net/spa-auth-code for details.
+        /// </summary>
+        /// The default is <c>false.</c>
+        public bool WithSpaAuthCode { get; set; }
+        #endregion
+
+        #region Web API
         /// <summary>
         /// In a web API, audience of the tokens that will be accepted by the web API.
         /// <para>If your web API accepts several audiences, see <see cref="Audiences"/></para>
@@ -88,29 +113,6 @@ public bool HasClientCredentials
         ///   </example>
         public IEnumerable<CredentialDescription>? TokenDecryptionCredentials { get; set; }
 
-        /// <summary>
-        /// Specifies if the x5c claim (public key of the certificate) should be sent to the STS.
-        /// Sending the x5c enables application developers to achieve easy certificate rollover in Azure AD:
-        /// this method will send the public certificate to Azure AD along with the token request,
-        /// so that Azure AD can use it to validate the subject name based on a trusted issuer policy.
-        /// This saves the application admin from the need to explicitly manage the certificate rollover
-        /// (either via the app registration portal or using PowerShell/CLI). 
-        /// For details see https://aka.ms/msal-net-sni.
-        /// </summary>
-        /// The default is <c>false</c>.
-        public bool SendX5C { get; set; }
-
-        /// <summary>
-        /// If set to <c>true</c>, when the user signs-in in a web app, the application Requests an auth code 
-        /// for the frontend (single page application using MSAL.js for instance). This will allow the front end
-        /// JavaScript code to bypass going to the authoriize endpoint (which requires reloading the page), by 
-        /// directly redeeming the auth code to get access tokens to call APIs.
-        /// See https://aka.ms/msal-net/spa-auth-code for details.
-        /// </summary>
-        /// The default is <c>false.</c>
-        public bool WithSpaAuthCode { get; set; }
-        #endregion
-
         /// <summary>
         /// Web APIs called by daemon applications can validate a token based on roles (representing app permissions), 
         /// or using the ACL-based authorization pattern for the client (daemon) to the web API. If using ACL-based authorization,
@@ -119,12 +121,6 @@ public bool HasClientCredentials
         /// </summary>
         /// The default is <c>false.</c>
         public bool AllowWebApiToBeAuthorizedByACL { get; set; }
-
-        /// <summary>
-        /// Sets the Error route path.
-        /// Defaults to the value /MicrosoftIdentity/Account/Error,
-        /// which is the value used by Microsoft.Identity.Web.UI.
-        /// </summary>
-        public string ErrorPath { get; set; } = "/MicrosoftIdentity/Account/Error";
+        #endregion
     }
 }

src/Microsoft.Identity.Web.TokenAcquisition.Abstractions/ApplicationOptions/MicrosoftAuthenticationOptions.cs

@@ -20,6 +20,17 @@ public class MicrosoftAuthenticationOptions : AuthenticationOptions
         /// </summary>
         public string? TenantId { get; set; }
 
+        /// <summary>
+        /// Gets or sets the Authority to use when making OpenIdConnect calls.
+        /// </summary>
+        public override string? Authority
+        {
+            get { return _authority ?? $"{Instance}{TenantId}/v2.0"; }
+            set { _authority = value; }
+        }
+        private string? _authority;
+
+        #region Token acquisition
         /// <summary>
         /// Specifies the Azure region. See https://aka.ms/azure-region. By default
         /// the app attempts to detect the Azure region automatically (the default
@@ -32,23 +43,14 @@ public class MicrosoftAuthenticationOptions : AuthenticationOptions
         /// useful to express that the Client is capable of handling claims challenge.
         /// </summary>
         public IEnumerable<string>? ClientCapabilities { get; set; }
+        #endregion
 
-        /// <summary>
-        /// Gets or sets the Authority to use when making OpenIdConnect calls.
-        /// </summary>
-        public override string? Authority
-        {
-            get { return _authority ?? $"{Instance}{TenantId}/v2.0"; }
-            set { _authority = value; }
-        }
-        private string? _authority;
-
+        #region AADB2C
         /// <summary>
         /// Gets or sets the domain of the Azure Active Directory tenant, e.g. contoso.onmicrosoft.com.
         /// </summary>
         public string? Domain { get; set; }
 
-        #region AADB2C
         /// <summary>
         /// Gets or sets the edit profile user flow name for B2C, e.g. b2c_1_edit_profile.
         /// </summary>
@@ -76,7 +78,9 @@ internal bool IsB2C
         {
             get => !string.IsNullOrWhiteSpace(DefaultUserFlow);
         }
+        #endregion
 
+        #region Web app
         /// <summary>
         /// Sets the ResetPassword route path (from the root of the web site).
         /// Defaults to /MicrosoftIdentity/Account/ResetPassword,
@@ -85,6 +89,12 @@ internal bool IsB2C
         /// </summary>
         public string ResetPasswordPath { get; set; } = "/MicrosoftIdentity/Account/ResetPassword";
 
+        /// <summary>
+        /// Sets the Error route path.
+        /// Defaults to the value /MicrosoftIdentity/Account/Error,
+        /// which is the value used by Microsoft.Identity.Web.UI.
+        /// </summary>
+        public string ErrorPath { get; set; } = "/MicrosoftIdentity/Account/Error";
         #endregion
     }
 }

src/Microsoft.Identity.Web/WebAppExtensions/MicrosoftIdentityAppCallingWebApiAuthenticationBuilder.cs → src/Microsoft.Identity.Web.TokenAcquisition/AspNetCore/MicrosoftIdentityAppCallingWebApiAuthenticationBuilder.cs

@@ -12,7 +12,6 @@
 using Microsoft.Identity.Web.TokenCacheProviders;
 using Microsoft.Identity.Web.TokenCacheProviders.Distributed;
 using Microsoft.Identity.Web.TokenCacheProviders.InMemory;
-using Microsoft.Identity.Web.TokenCacheProviders.Session;
 
 namespace Microsoft.Identity.Web
 {
@@ -67,47 +66,5 @@ public MicrosoftIdentityAppCallsWebApiAuthenticationBuilder AddDistributedTokenC
             Services.AddDistributedTokenCaches();
             return this;
         }
-
-        /// <summary>
-        /// Add session token caches.
-        /// </summary>
-        /// <returns>the service collection.</returns>
-        public MicrosoftIdentityAppCallsWebApiAuthenticationBuilder AddSessionTokenCaches()
-        {
-            // Add session if you are planning to use session based token cache
-            var sessionStoreService = Services.FirstOrDefault(x => x.ServiceType.Name == Constants.ISessionStore);
-
-            // If not added already
-            if (sessionStoreService == null)
-            {
-                Services.AddSession(option =>
-                {
-                    option.Cookie.IsEssential = true;
-                });
-            }
-            else
-            {
-                // If already added, ensure the options are set to use Cookies
-                Services.Configure<SessionOptions>(option =>
-                {
-                    option.Cookie.IsEssential = true;
-                });
-            }
-
-            Services.AddHttpContextAccessor();
-            Services.AddScoped<IMsalTokenCacheProvider, MsalSessionTokenCacheProvider>();
-            Services.TryAddScoped(provider =>
-            {
-                var httpContext = provider.GetRequiredService<IHttpContextAccessor>().HttpContext;
-                if (httpContext == null)
-                {
-                    throw new InvalidOperationException(IDWebErrorMessage.HttpContextIsNull);
-                }
-
-                return httpContext.Session;
-            });
-
-            return this;
-        }
     }
 }

src/Microsoft.Identity.Web.TokenAcquisition/AspNetCore/TokenAcquisition-AspnetCore.cs

@@ -23,7 +23,7 @@
 
 namespace Microsoft.Identity.Web
 {
-    partial class TokenAcquisition
+    internal class TokenAcquisitionAspNetCore : TokenAcquisition, ITokenAcquisition, ITokenAcquisitionInternal
     {
 
         /// <summary>
@@ -36,17 +36,14 @@ partial class TokenAcquisition
         /// <param name="httpClientFactory">HTTP client factory.</param>
         /// <param name="logger">Logger.</param>
         /// <param name="serviceProvider">Service provider.</param>
-        public TokenAcquisition(
+        public TokenAcquisitionAspNetCore(
             IMsalTokenCacheProvider tokenCacheProvider,
             IHttpClientFactory httpClientFactory,
             ILogger<TokenAcquisition> logger,
             ITokenAcquisitionHost tokenAcquisitionHost,
-            IServiceProvider serviceProvider)
+            IServiceProvider serviceProvider) :
+            base(tokenCacheProvider, tokenAcquisitionHost, httpClientFactory, logger, serviceProvider)
         {
-            _tokenCacheProvider = tokenCacheProvider;
-            _httpClientFactory = new MsalAspNetCoreHttpClientFactory(httpClientFactory);
-            _logger = logger;
-            _tokenAcquisitionHost = tokenAcquisitionHost;
         }
 
 

src/Microsoft.Identity.Web.TokenAcquisition/Microsoft.Identity.Web.TokenAcquisition.csproj

@@ -17,10 +17,12 @@
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="$(MicrosoftAspNetCoreAuthenticationJwtBearerVersion)" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="$(MicrosoftAspNetCoreAuthenticationOpenIdConnectVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(IdentityModelVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Http" Version="3.1.3" />
   </ItemGroup>
 
   <ItemGroup>
     <PackageReference Include="Microsoft.IdentityModel.Logging" Version="$(IdentityModelVersion)" />
+    <PackageReference Include="Microsoft.IdentityModel.LoggingExtensions" Version="$(IdentityModelVersion)" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="$(IdentityModelVersion)" />
     <PackageReference Include="Microsoft.Extensions.Http" Version="$(MicrosoftExtensionsHttpVersion)" />
     <PackageReference Include="System.Text.Encodings.Web" Version="$(SystemTextEncodingsWebVersion)" />

src/Microsoft.Identity.Web.TokenAcquisition/ServiceCollectionExtensions.cs

@@ -62,26 +62,31 @@ public static IServiceCollection AddTokenAcquisition(
             // Token acquisition service
             if (isTokenAcquisitionSingleton)
             {
-                services.AddSingleton<ITokenAcquisition, TokenAcquisition>();
-                services.AddSingleton(s => (ITokenAcquirer)s.GetRequiredService<ITokenAcquisition>());
 #if !NET472 && !NET462
                 services.AddHttpContextAccessor();
+                services.AddSingleton<ITokenAcquisition, TokenAcquisitionAspNetCore>();
+                services.AddSingleton(s => (ITokenAcquirer)s.GetRequiredService<ITokenAcquisition>());
+
                 services.AddSingleton<ITokenAcquisitionHost, TokenAcquisitionAspnetCoreHost>();
                 services.AddSingleton(s => (ITokenAcquisitionInternal)s.GetRequiredService<ITokenAcquisition>());
 #else
                 services.AddSingleton<ITokenAcquisitionHost, PlainDotNetTokenAcquisitionHost>();
+                services.AddSingleton<ITokenAcquirer, TokenAcquisition>();
 #endif
             }
             else
             {
-                services.AddScoped<ITokenAcquisition, TokenAcquisition>();
-                services.AddScoped(s => (ITokenAcquirer)s.GetRequiredService<ITokenAcquisition>());
 #if !NET472 && !NET462
                 services.AddHttpContextAccessor();
+
+                services.AddScoped<ITokenAcquisition, TokenAcquisitionAspNetCore>();
+                services.AddScoped(s => (ITokenAcquirer)s.GetRequiredService<ITokenAcquisition>());
+
                 services.AddScoped<ITokenAcquisitionHost, TokenAcquisitionAspnetCoreHost>();
                 services.AddScoped(s => (ITokenAcquisitionInternal)s.GetRequiredService<ITokenAcquisition>());
 #else
                 services.AddScoped<ITokenAcquisitionHost, PlainDotNetTokenAcquisitionHost>();
+                services.AddSingleton<ITokenAcquirer, TokenAcquisition>();
 #endif
             }
 

src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs

@@ -28,7 +28,7 @@ namespace Microsoft.Identity.Web
     /// <summary>
     /// Token acquisition service.
     /// </summary>
-    internal partial class TokenAcquisition : ITokenAcquisition, ITokenAcquisitionInternal, ITokenAcquirer
+    internal partial class TokenAcquisition : ITokenAcquirer
     {
 #if NET472 || NET462
         class OAuthConstants
@@ -37,7 +37,7 @@ class OAuthConstants
         }
 #endif
 
-        private readonly IMsalTokenCacheProvider _tokenCacheProvider;
+        protected readonly IMsalTokenCacheProvider _tokenCacheProvider;
 
         private readonly object _applicationSyncObj = new object();
 
@@ -46,10 +46,10 @@ class OAuthConstants
         /// </summary>
         private ConcurrentDictionary<string, IConfidentialClientApplication?> _applicationsByAuthorityClientId = new ConcurrentDictionary<string, IConfidentialClientApplication?>();
         private bool _retryClientCertificate;
-        private readonly IMsalHttpClientFactory _httpClientFactory;
-        private readonly ILogger _logger;
+        protected readonly IMsalHttpClientFactory _httpClientFactory;
+        protected readonly ILogger _logger;
         private readonly IServiceProvider _serviceProvider;
-        private readonly ITokenAcquisitionHost _tokenAcquisitionHost;
+        protected readonly ITokenAcquisitionHost _tokenAcquisitionHost;
 
         /// <summary>
         /// Scopes which are already requested by MSAL.NET. They should not be re-requested;.
@@ -856,7 +856,7 @@ private Task<AuthenticationResult> GetAuthenticationResultForWebAppWithAccountFr
             return builder.ExecuteAsync(tokenAcquisitionOptions != null ? tokenAcquisitionOptions.CancellationToken : CancellationToken.None);
         }
 
-        private static bool AcceptedTokenVersionMismatch(MsalUiRequiredException msalServiceException)
+        protected static bool AcceptedTokenVersionMismatch(MsalUiRequiredException msalServiceException)
         {
             // Normally app developers should not make decisions based on the internal AAD code
             // however until the STS sends sub-error codes for this error, this is the only

src/Microsoft.Identity.Web/Microsoft.Identity.Web.csproj

@@ -25,8 +25,8 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.IdentityModel.LoggingExtensions" Version="$(IdentityModelVersion)" />
-    <PackageReference Include="Microsoft.IdentityModel.Logging" Version="$(IdentityModelVersion)" />
+    <!--<PackageReference Include="Microsoft.IdentityModel.LoggingExtensions" Version="$(IdentityModelVersion)" />
+    <PackageReference Include="Microsoft.IdentityModel.Logging" Version="$(IdentityModelVersion)" />-->
     <PackageReference Include="Microsoft.IdentityModel.Validators" Version="$(IdentityModelVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(IdentityModelVersion)" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="$(IdentityModelVersion)" />