From e59b4aab37d60ab56bfe64a4a7a2dc69811c01ab Mon Sep 17 00:00:00 2001
From: Ben Russell <russellben@microsoft.com>
Date: Mon, 19 May 2025 12:34:39 -0500
Subject: [PATCH 1/3] Backport APIScan changes to v5.2 release branch

---
 .../ActiveDirectoryAuthenticationProvider.cs  | 104 +++---------------
 1 file changed, 18 insertions(+), 86 deletions(-)

diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs
index eb4fa2212f..f5a0545c50 100644
--- a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs
+++ b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs
@@ -552,98 +552,30 @@ private static bool AreEqual(byte[] a1, byte[] a2)
 
         private IPublicClientApplication CreateClientAppInstance(PublicClientAppKey publicClientAppKey)
         {
-            IPublicClientApplication publicClientApplication;
-
-#if NETSTANDARD
-            if (_parentActivityOrWindowFunc != null)
-            {
-                publicClientApplication = PublicClientApplicationBuilder.Create(publicClientAppKey._applicationClientId)
-                .WithAuthority(publicClientAppKey._authority)
-                .WithClientName(Common.DbConnectionStringDefaults.ApplicationName)
-                .WithClientVersion(Common.ADP.GetAssemblyVersion().ToString())
-                .WithRedirectUri(publicClientAppKey._redirectUri)
-                .WithParentActivityOrWindow(_parentActivityOrWindowFunc)
-                .Build();
-            }
-#endif
-#if NETFRAMEWORK
-            if (_iWin32WindowFunc != null)
-            {
-                publicClientApplication = PublicClientApplicationBuilder.Create(publicClientAppKey._applicationClientId)
-                .WithAuthority(publicClientAppKey._authority)
-                .WithClientName(Common.DbConnectionStringDefaults.ApplicationName)
-                .WithClientVersion(Common.ADP.GetAssemblyVersion().ToString())
-                .WithRedirectUri(publicClientAppKey._redirectUri)
-                .WithParentActivityOrWindow(_iWin32WindowFunc)
-                .Build();
-            }
-#endif
-#if !NETCOREAPP
-            else
-#endif
-            {
-                publicClientApplication = PublicClientApplicationBuilder.Create(publicClientAppKey._applicationClientId)
-                .WithAuthority(publicClientAppKey._authority)
-                .WithClientName(Common.DbConnectionStringDefaults.ApplicationName)
-                .WithClientVersion(Common.ADP.GetAssemblyVersion().ToString())
-                .WithRedirectUri(publicClientAppKey._redirectUri)
-                .Build();
-            }
-
-            return publicClientApplication;
-        }
-
-        private static TokenCredentialData CreateTokenCredentialInstance(TokenCredentialKey tokenCredentialKey, string secret)
-        {
-            if (tokenCredentialKey._tokenCredentialType == typeof(DefaultAzureCredential))
-            {
-                DefaultAzureCredentialOptions defaultAzureCredentialOptions = new()
-                {
-                    AuthorityHost = new Uri(tokenCredentialKey._authority),
-                    SharedTokenCacheTenantId = tokenCredentialKey._audience,
-                    VisualStudioCodeTenantId = tokenCredentialKey._audience,
-                    VisualStudioTenantId = tokenCredentialKey._audience,
-                    ExcludeInteractiveBrowserCredential = true // Force disabled, even though it's disabled by default to respect driver specifications.
-                };
-
-                // Optionally set clientId when available
-                if (tokenCredentialKey._clientId is not null)
+            PublicClientApplicationBuilder builder = PublicClientApplicationBuilder
+                .CreateWithApplicationOptions(new PublicClientApplicationOptions
                 {
-                    defaultAzureCredentialOptions.ManagedIdentityClientId = tokenCredentialKey._clientId;
-                    defaultAzureCredentialOptions.SharedTokenCacheUsername = tokenCredentialKey._clientId;
-                    defaultAzureCredentialOptions.WorkloadIdentityClientId = tokenCredentialKey._clientId;
-                }
-
-                return new TokenCredentialData(new DefaultAzureCredential(defaultAzureCredentialOptions), GetHash(secret));
-            }
-
-            TokenCredentialOptions tokenCredentialOptions = new() { AuthorityHost = new Uri(tokenCredentialKey._authority) };
-
-            if (tokenCredentialKey._tokenCredentialType == typeof(ManagedIdentityCredential))
-            {
-                return new TokenCredentialData(new ManagedIdentityCredential(tokenCredentialKey._clientId, tokenCredentialOptions), GetHash(secret));
-            }
-            else if (tokenCredentialKey._tokenCredentialType == typeof(ClientSecretCredential))
+                    ClientId = publicClientAppKey._applicationClientId,
+                    ClientName = Common.DbConnectionStringDefaults.ApplicationName,
+                    ClientVersion = Common.ADP.GetAssemblyVersion().ToString(),
+                    RedirectUri = publicClientAppKey._redirectUri,
+                })
+                .WithAuthority(publicClientAppKey._authority);
+            
+            #if NETFRAMEWORK
+            if (_iWin32WindowFunc is not null)
             {
-                return new TokenCredentialData(new ClientSecretCredential(tokenCredentialKey._audience, tokenCredentialKey._clientId, secret, tokenCredentialOptions), GetHash(secret));
+                builder = builder.WithParentActivityOrWindow(_iWin32WindowFunc);
             }
-            else if (tokenCredentialKey._tokenCredentialType == typeof(WorkloadIdentityCredential))
+            #endif
+            #if NETSTANDARD
+            if (_parentActivityOrWindowFunc is not null)
             {
-                // The WorkloadIdentityCredentialOptions object initialization populates its instance members
-                // from the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE,
-                // and AZURE_ADDITIONALLY_ALLOWED_TENANTS. AZURE_CLIENT_ID may be overridden by the User Id.
-                WorkloadIdentityCredentialOptions options = new() { AuthorityHost = new Uri(tokenCredentialKey._authority) };
-
-                if (tokenCredentialKey._clientId is not null)
-                {
-                    options.ClientId = tokenCredentialKey._clientId;
-                }
-
-                return new TokenCredentialData(new WorkloadIdentityCredential(options), GetHash(secret));
+                builder = builder.WithParentActivityOrWindow(_parentActivityOrWindowFunc);
             }
+            #endif
 
-            // This should never be reached, but if it is, throw an exception that will be noticed during development
-            throw new ArgumentException(nameof(ActiveDirectoryAuthenticationProvider));
+            return builder.Build();
         }
 
         internal class PublicClientAppKey

From 6639c5b4fc0b7cb1558e30d7c053eb0d363457d6 Mon Sep 17 00:00:00 2001
From: Ben Russell <russellben@microsoft.com>
Date: Mon, 19 May 2025 16:20:47 -0500
Subject: [PATCH 2/3] Reinstate CreateTokenCredentialInstance that got blown
 away in last commit

---
 .../ActiveDirectoryAuthenticationProvider.cs  | 53 +++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs
index f5a0545c50..266fecd4e2 100644
--- a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs
+++ b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs
@@ -578,6 +578,59 @@ private IPublicClientApplication CreateClientAppInstance(PublicClientAppKey publ
             return builder.Build();
         }
 
+        private static TokenCredentialData CreateTokenCredentialInstance(TokenCredentialKey tokenCredentialKey, string secret)
+        {
+            if (tokenCredentialKey._tokenCredentialType == typeof(DefaultAzureCredential))
+            {
+                DefaultAzureCredentialOptions defaultAzureCredentialOptions = new()
+                {
+                    AuthorityHost = new Uri(tokenCredentialKey._authority),
+                    SharedTokenCacheTenantId = tokenCredentialKey._audience,
+                    VisualStudioCodeTenantId = tokenCredentialKey._audience,
+                    VisualStudioTenantId = tokenCredentialKey._audience,
+                    ExcludeInteractiveBrowserCredential = true // Force disabled, even though it's disabled by default to respect driver specifications.
+                };
+
+                // Optionally set clientId when available
+                if (tokenCredentialKey._clientId is not null)
+                {
+                    defaultAzureCredentialOptions.ManagedIdentityClientId = tokenCredentialKey._clientId;
+                    defaultAzureCredentialOptions.SharedTokenCacheUsername = tokenCredentialKey._clientId;
+                    defaultAzureCredentialOptions.WorkloadIdentityClientId = tokenCredentialKey._clientId;
+                }
+
+                return new TokenCredentialData(new DefaultAzureCredential(defaultAzureCredentialOptions), GetHash(secret));
+            }
+
+            TokenCredentialOptions tokenCredentialOptions = new() { AuthorityHost = new Uri(tokenCredentialKey._authority) };
+
+            if (tokenCredentialKey._tokenCredentialType == typeof(ManagedIdentityCredential))
+            {
+                return new TokenCredentialData(new ManagedIdentityCredential(tokenCredentialKey._clientId, tokenCredentialOptions), GetHash(secret));
+            }
+            else if (tokenCredentialKey._tokenCredentialType == typeof(ClientSecretCredential))
+            {
+                return new TokenCredentialData(new ClientSecretCredential(tokenCredentialKey._audience, tokenCredentialKey._clientId, secret, tokenCredentialOptions), GetHash(secret));
+            }
+            else if (tokenCredentialKey._tokenCredentialType == typeof(WorkloadIdentityCredential))
+            {
+                // The WorkloadIdentityCredentialOptions object initialization populates its instance members
+                // from the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE,
+                // and AZURE_ADDITIONALLY_ALLOWED_TENANTS. AZURE_CLIENT_ID may be overridden by the User Id.
+                WorkloadIdentityCredentialOptions options = new() { AuthorityHost = new Uri(tokenCredentialKey._authority) };
+
+                if (tokenCredentialKey._clientId is not null)
+                {
+                    options.ClientId = tokenCredentialKey._clientId;
+                }
+
+                return new TokenCredentialData(new WorkloadIdentityCredential(options), GetHash(secret));
+            }
+
+            // This should never be reached, but if it is, throw an exception that will be noticed during development
+            throw new ArgumentException(nameof(ActiveDirectoryAuthenticationProvider));
+        }
+        
         internal class PublicClientAppKey
         {
             public readonly string _authority;

From 32f30b76140487e4162a1c7957866c6420d3a784 Mon Sep 17 00:00:00 2001
From: Ben Russell <russellben@microsoft.com>
Date: Tue, 20 May 2025 12:47:16 -0500
Subject: [PATCH 3/3] Assigning builder after With* is not necessary. Internal
 state of builder is updated.

---
 .../Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs
index 266fecd4e2..40fceda2c9 100644
--- a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs
+++ b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs
@@ -565,13 +565,13 @@ private IPublicClientApplication CreateClientAppInstance(PublicClientAppKey publ
             #if NETFRAMEWORK
             if (_iWin32WindowFunc is not null)
             {
-                builder = builder.WithParentActivityOrWindow(_iWin32WindowFunc);
+                builder.WithParentActivityOrWindow(_iWin32WindowFunc);
             }
             #endif
             #if NETSTANDARD
             if (_parentActivityOrWindowFunc is not null)
             {
-                builder = builder.WithParentActivityOrWindow(_parentActivityOrWindowFunc);
+                builder.WithParentActivityOrWindow(_parentActivityOrWindowFunc);
             }
             #endif