Deprecate request.WithAuthority

AzureAD · Nov 3, 2023 · 0b645a6 · 0b645a6
1 parent 4b1c58a
commit 0b645a6
Show file tree

Hide file tree

Showing 23 changed files with 83 additions and 82 deletions.
diff --git a/src/client/Microsoft.Identity.Client/ApiConfig/AbstractAcquireTokenParameterBuilder.cs b/src/client/Microsoft.Identity.Client/ApiConfig/AbstractAcquireTokenParameterBuilder.cs
@@ -103,7 +103,8 @@ public T WithExtraQueryParameters(string extraQueryParameters)
         /// the application registration portal.</param>
         /// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
         /// <returns>The builder to chain the .With methods.</returns>
-        [EditorBrowsable(EditorBrowsableState.Never)] // Soft deprecate
+        [EditorBrowsable(EditorBrowsableState.Never)]
+        [Obsolete("This API has been deprecated. You can override the tenant ID in the request using WithTenantId. See https://aka.ms/msal-net-authority-override ")]
         public T WithAuthority(string authorityUri, bool validateAuthority = true)
         {
             if (string.IsNullOrWhiteSpace(authorityUri))
@@ -125,6 +126,7 @@ public T WithAuthority(string authorityUri, bool validateAuthority = true)
         /// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
         /// <returns>The builder to chain the .With methods.</returns>
         [EditorBrowsable(EditorBrowsableState.Never)] // Soft deprecate
+        [Obsolete("This API has been deprecated. You can override the tenant ID in the request using WithTenantId. See https://aka.ms/msal-net-authority-override ")]
         public T WithAuthority(
             string cloudInstanceUri,
             Guid tenantId,
@@ -156,6 +158,7 @@ public T WithAuthority(string authorityUri, bool validateAuthority = true)
         /// </remarks>
         /// <returns>The builder to chain the .With methods.</returns>
         [EditorBrowsable(EditorBrowsableState.Never)] // Soft deprecate
+        [Obsolete("This API has been deprecated. You can override the tenant ID in the request using WithTenantId. See https://aka.ms/msal-net-authority-override ")]
         public T WithAuthority(
             string cloudInstanceUri,
             string tenant,
@@ -182,6 +185,7 @@ public T WithAuthority(string authorityUri, bool validateAuthority = true)
         /// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
         /// <returns>The builder to chain the .With methods.</returns>
         [EditorBrowsable(EditorBrowsableState.Never)] // Soft deprecate
+        [Obsolete("This API has been deprecated. You can override the tenant ID in the request using WithTenantId. See https://aka.ms/msal-net-authority-override ")]
         public T WithAuthority(
             AzureCloudInstance azureCloudInstance,
             Guid tenantId,
@@ -203,7 +207,8 @@ public T WithAuthority(string authorityUri, bool validateAuthority = true)
         /// <param name="tenant">Tenant Id of the tenant from which to sign-in users. This can also be a GUID.</param>
         /// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
         /// <returns>The builder to chain the .With methods.</returns>
-        [EditorBrowsable(EditorBrowsableState.Never)] // Soft deprecate
+        [EditorBrowsable(EditorBrowsableState.Never)] // Soft deprecate\
+        [Obsolete("This API has been deprecated. You can override the tenant ID in the request using WithTenantId. See https://aka.ms/msal-net-authority-override ")]
         public T WithAuthority(
             AzureCloudInstance azureCloudInstance,
             string tenant,
@@ -225,6 +230,7 @@ public T WithAuthority(string authorityUri, bool validateAuthority = true)
         /// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
         /// <returns>The builder to chain the .With methods.</returns>
         [EditorBrowsable(EditorBrowsableState.Never)] // Soft deprecate
+        [Obsolete("This API has been deprecated. You can override the tenant ID in the request using WithTenantId. See https://aka.ms/msal-net-authority-override ")]
         public T WithAuthority(AzureCloudInstance azureCloudInstance, AadAuthorityAudience authorityAudience, bool validateAuthority = true)
         {
             CommonParameters.AuthorityOverride = AuthorityInfo.FromAadAuthority(azureCloudInstance, authorityAudience, validateAuthority);
@@ -243,6 +249,7 @@ public T WithAuthority(AzureCloudInstance azureCloudInstance, AadAuthorityAudien
         /// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
         /// <returns>The builder to chain the .With methods.</returns>        
         [EditorBrowsable(EditorBrowsableState.Never)] // Soft deprecate
+        [Obsolete("This API has been deprecated. You can override the tenant ID in the request using WithTenantId. See https://aka.ms/msal-net-authority-override ")]
         public T WithAuthority(AadAuthorityAudience authorityAudience, bool validateAuthority = true)
         {
             CommonParameters.AuthorityOverride = AuthorityInfo.FromAadAuthority(authorityAudience, validateAuthority);

diff --git a/src/client/Microsoft.Identity.Client/IPublicClientApplication.cs b/src/client/Microsoft.Identity.Client/IPublicClientApplication.cs
@@ -37,23 +37,13 @@ public partial interface IPublicClientApplication : IClientApplicationBase
         bool IsSystemWebViewAvailable { get; }
 
         /// <summary>
-        /// Interactive request to acquire a token for the specified scopes. The interactive window will be parented to an application
-        /// window specified through a handle. The user will be required to select an account.
+        /// Interactive request to acquire a token for the specified scopes. Either a system browser, an embedded browser or a broker will 
+        /// handle this request, depending on the version of .NET framework used and on configuration. 
+        /// For Microsoft Entra applications, a broker is recommended. See https://aka.ms/msal-net-wam
         /// </summary>
         /// <param name="scopes">Scopes requested to access a protected API.</param>
         /// <returns>A builder enabling you to add optional parameters before executing the token request.</returns>
         /// <remarks>The user will be signed-in interactively and will consent to scopes, as well as perform a multi-factor authentication step if such a policy was enabled in the Azure AD tenant.
-        ///
-        /// You can also pass optional parameters by calling:
-        /// <list type="bullet">         
-        /// <item><description><see cref="AcquireTokenInteractiveParameterBuilder.WithPrompt(Prompt)"/> to specify the user experience when signing-in.</description></item>
-        /// <item><description><see cref="AcquireTokenInteractiveParameterBuilder.WithUseEmbeddedWebView(bool)"/> to specify if you want to use the embedded web browser or the default system browser.</description></item>
-        /// <item><description><see cref="AcquireTokenInteractiveParameterBuilder.WithSystemWebViewOptions(SystemWebViewOptions)"/> to configure the user experience when using the default system browser.</description></item>
-        /// <item><description><see cref="AcquireTokenInteractiveParameterBuilder.WithAccount(IAccount)"/> or <see cref="AcquireTokenInteractiveParameterBuilder.WithLoginHint(string)"/> to prevent the account selection dialog from appearing if you want to sign-in a specific account.</description></item>
-        /// <item><description><see cref="AcquireTokenInteractiveParameterBuilder.WithExtraScopesToConsent(IEnumerable{string})"/> if you want to let the user pre-consent to additional scopes (which won't be returned in the access token).</description></item>
-        /// <item><description><see cref="AbstractAcquireTokenParameterBuilder{T}.WithExtraQueryParameters(Dictionary{string, string})"/> to pass additional query parameters to the authentication service.</description></item>
-        /// <item><description>One of the overrides of <see cref="AbstractAcquireTokenParameterBuilder{T}.WithAuthority(string, bool)"/> to override the default authority set at the application construction. Note that the overriding authority needs to be part of the known authorities added to the application constructor.</description></item>
-        /// </list>
         /// </remarks>
         AcquireTokenInteractiveParameterBuilder AcquireTokenInteractive(IEnumerable<string> scopes);
 
@@ -74,16 +64,16 @@ public partial interface IPublicClientApplication : IClientApplicationBase
         /// token which is granted upon successful login by the user based on the device code information.</description></item>
         /// </list>
         /// See <see href="https://aka.ms/msal-device-code-flow">our documentation</see> for additional context.
-        /// You can also pass optional parameters by calling <see cref="AbstractAcquireTokenParameterBuilder{T}.WithExtraQueryParameters(Dictionary{string, string})"/>
-        /// and one of the overrides of <see cref="AbstractAcquireTokenParameterBuilder{T}.WithAuthority(string, bool)"/>
-        /// in order to override the default authority. Note that the overriding authority needs to be part
-        /// of the known authorities added to the application constructor.
         /// </remarks>
         AcquireTokenWithDeviceCodeParameterBuilder AcquireTokenWithDeviceCode(
             IEnumerable<string> scopes,
             Func<DeviceCodeResult, Task> deviceCodeResultCallback);
 
         /// <summary>
+        /// This API is no longer recommended and will be deprecated in future versions in favor of similar functionality via the Windows broker (WAM).
+        /// See https://aka.ms/msal-net-wam
+        /// WAM does not require any setup for desktop apps to login with the Windows account.
+        /// 
         /// Non-interactive request to acquire a security token for the signed-in user in Windows,
         /// via Integrated Windows Authentication.
         /// The account used in this overrides is pulled from the operating system as the current user principal name.
@@ -96,10 +86,6 @@ public partial interface IPublicClientApplication : IClientApplicationBase
         /// of the user account for which to acquire a token with Integrated Windows Authentication. This is generally in
         /// User Principal Name (UPN) format (e.g. john.doe@contoso.com). This is normally not needed, but some Windows administrators
         /// set policies preventing applications from looking up the signed-in user and in that case the username needs to be passed.
-        /// You can also chain with <see cref="AbstractAcquireTokenParameterBuilder{T}.WithExtraQueryParameters(Dictionary{string, string})"/> to pass
-        /// additional query parameters to the authentication service, along with one of the overrides of <see cref="AbstractAcquireTokenParameterBuilder{T}.WithAuthority(string, bool)"/>
-        /// in order to override the default authority. Note that the overriding authority needs to be part
-        /// of the known authorities added to the application constructor.
         /// </remarks>
         AcquireTokenByIntegratedWindowsAuthParameterBuilder AcquireTokenByIntegratedWindowsAuth(
             IEnumerable<string> scopes);
@@ -113,11 +99,7 @@ public partial interface IPublicClientApplication : IClientApplicationBase
         /// <param name="password">User password as a secure string.</param>
         /// <returns>A builder enabling you to add optional parameters before executing the token request</returns>
         /// <remarks>
-        /// Available only for .NET Framework and .NET Core applications. See <see href="https://aka.ms/msal-net-up">our documentation</see> for details.
-        /// You can also pass optional parameters by chaining the builder with <see cref="AbstractAcquireTokenParameterBuilder{T}.WithExtraQueryParameters(Dictionary{string, string})"/>
-        /// and one of the overrides of <see cref="AbstractAcquireTokenParameterBuilder{T}.WithAuthority(string, bool)"/>
-        /// to override the default authority. Note that the overriding authority needs to be part
-        /// of the known authorities added to the application constructor.
+        /// Available only for .NET Framework and .NET Core applications. See <see href="https://aka.ms/msal-net-up">our documentation</see> for details.       
         /// .NET no longer recommends using SecureString and MSAL puts the plaintext value of the password on the wire, as required by the OAuth protocol. See <see href="https://docs.microsoft.com/dotnet/api/system.security.securestring?view=net-6.0#remarks">SecureString documentation</see> for details.
         /// </remarks>
         [Obsolete("Using SecureString is not recommended. Use AcquireTokenByUsernamePassword(IEnumerable<string> scopes, string username, string password) instead.", false)]
@@ -137,10 +119,6 @@ public partial interface IPublicClientApplication : IClientApplicationBase
         /// <returns>A builder enabling you to add optional parameters before executing the token request</returns>
         /// <remarks>
         /// Available only for .NET Framework and .NET Core applications. See <see href="https://aka.ms/msal-net-up">our documentation</see> for details.
-        /// You can also pass optional parameters by chaining the builder with <see cref="AbstractAcquireTokenParameterBuilder{T}.WithExtraQueryParameters(Dictionary{string, string})"/>
-        /// and one of the overrides of <see cref="AbstractAcquireTokenParameterBuilder{T}.WithAuthority(string, bool)"/>
-        /// to override the default authority. Note that the overriding authority needs to be part
-        /// of the known authorities added to the application constructor.
         /// </remarks>
         AcquireTokenByUsernamePasswordParameterBuilder AcquireTokenByUsernamePassword(
             IEnumerable<string> scopes,

diff --git a/tests/CacheCompat/CommonCache.Test.MsalV3/Program.cs b/tests/CacheCompat/CommonCache.Test.MsalV3/Program.cs
@@ -57,8 +57,7 @@ protected override async Task<IEnumerable<CacheExecutorAccountResult>> InternalE
                     try
                     {
                         var result = await app
-                            .AcquireTokenSilent(scopes, accountToReference)
-                            .WithAuthority(app.Authority)
+                            .AcquireTokenSilent(scopes, accountToReference)                            
                             .WithForceRefresh(false)
                             .ExecuteAsync(CancellationToken.None)
                             .ConfigureAwait(false);

diff --git a/...rosoft.Identity.Test.Integration.netfx/HeadlessTests/InstanceDiscoveryIntegrationTests.cs b/...rosoft.Identity.Test.Integration.netfx/HeadlessTests/InstanceDiscoveryIntegrationTests.cs
@@ -50,7 +50,7 @@ public async Task AuthorityMigrationAsync()
                 // BugBug https://identitydivision.visualstudio.com/Engineering/_workitems/edit/776308/
                 // sts.windows.net fails when doing instance discovery, e.g.:
                 // https://sts.windows.net/common/discovery/instance?api-version=1.1&authorization_endpoint=https%3A%2F%2Fsts.windows.net%2Ff645ad92-e38d-4d1a-b510-d1b09a74a8ca%2Foauth2%2Fv2.0%2Fauthorize
-                .WithAuthority("https://login.windows.net/" + labResponse.Lab.TenantId + "/")
+                .WithTenantId(labResponse.Lab.TenantId)
                 .ExecuteAsync()
                 .ConfigureAwait(false);
 
@@ -59,7 +59,7 @@ public async Task AuthorityMigrationAsync()
             Trace.WriteLine("Acquire a token silently using the common authority alias");
 
             authResult = await pca.AcquireTokenSilent(s_scopes, (await pca.GetAccountsAsync().ConfigureAwait(false)).First())
-                .WithAuthority("https://login.windows.net/common")
+                .WithTenantId("common")
                 .ExecuteAsync()
                 .ConfigureAwait(false);
 

diff --git a/tests/Microsoft.Identity.Test.Unit/ApiConfigTests/AuthorityAliasesTests.cs b/tests/Microsoft.Identity.Test.Unit/ApiConfigTests/AuthorityAliasesTests.cs
@@ -83,7 +83,7 @@ public async Task AuthorityMigrationTestAsync()
 
                 IEnumerable<IAccount> accounts = await app.GetAccountsAsync().ConfigureAwait(false);
                 result = await app2.AcquireTokenSilent(TestConstants.s_scope, accounts.First())
-                                   .WithAuthority(string.Format(CultureInfo.InvariantCulture, "https://{0}/{1}/", envAlias, TestConstants.Utid))
+                                   .WithTenantId(TestConstants.Utid)
                                    .WithForceRefresh(false)
                                    .ExecuteAsync(CancellationToken.None)
                                    .ConfigureAwait(false);
@@ -125,7 +125,7 @@ public async Task AuthorityMigrationTestAsync()
                         .AcquireTokenSilent(
                             TestConstants.s_scopeForAnotherResource,
                             (await app.GetAccountsAsync().ConfigureAwait(false)).First())
-                        .WithAuthority(string.Format(CultureInfo.InvariantCulture, "https://{0}/{1}/", envAlias, TestConstants.Utid))
+                        .WithTenantId(TestConstants.Utid)
                         .WithForceRefresh(false)
                         .ExecuteAsync(CancellationToken.None).ConfigureAwait(false);
                 }

diff --git a/tests/Microsoft.Identity.Test.Unit/AppConfigTests/CiamAuthorityTests.cs b/tests/Microsoft.Identity.Test.Unit/AppConfigTests/CiamAuthorityTests.cs
@@ -165,7 +165,7 @@ static async Task TestRequestAuthorityAsync(MockHttpAndServiceBundle harness, st
                 harness.HttpManager.AddMockHandler(handler);
 
                 var result = await app.AcquireTokenOnBehalfOf(new[] { "someScope" }, new UserAssertion("some_assertion"))
-                     .WithAuthority(requestAuthority)
+                     .WithTenantIdFromAuthority(new Uri(requestAuthority))
                      .ExecuteAsync()
                      .ConfigureAwait(false);
             }

diff --git a/tests/Microsoft.Identity.Test.Unit/CacheTests/InternalCacheOptionsTests.cs b/tests/Microsoft.Identity.Test.Unit/CacheTests/InternalCacheOptionsTests.cs
@@ -165,7 +165,7 @@ public async Task PublicClient_StaticCache_Async()
         private async Task ClientCredsAcquireAndAssertTokenSourceAsync(IConfidentialClientApplication app, string scope, TokenSource expectedSource)
         {
             var result = await app.AcquireTokenForClient(new[] { scope })
-                 .WithAuthority(TestConstants.AuthorityUtidTenant)
+                 .WithTenantId(TestConstants.Utid)
                  .ExecuteAsync().ConfigureAwait(false);
             Assert.AreEqual(
                expectedSource,

diff --git a/tests/Microsoft.Identity.Test.Unit/CacheTests/UnifiedCacheTests.cs b/tests/Microsoft.Identity.Test.Unit/CacheTests/UnifiedCacheTests.cs
@@ -97,7 +97,7 @@ public void UnifiedCache_MsalStoresToAndReadRtFromAdalCache()
                 // Using RT from Adal cache for silent call
                 AuthenticationResult result1 = app
                     .AcquireTokenSilent(TestConstants.s_scope, result.Account)
-                    .WithAuthority(TestConstants.AuthorityCommonTenant)
+                    .WithTenantId("common")
                     .WithForceRefresh(false)
                     .ExecuteAsync(CancellationToken.None)
                     .Result;

diff --git a/tests/Microsoft.Identity.Test.Unit/MetricsTests.cs b/tests/Microsoft.Identity.Test.Unit/MetricsTests.cs
@@ -289,12 +289,14 @@ private async Task TestAcquireTokenInteractive_Async(PublicClientApplication pca
 
         private async Task TestAcquireTokenSilent_Async(PublicClientApplication pca, int expectedTokensFromIdp = 0, int expectedTokensFromCache = 0, int expectedTokensFromBroker = 0)
         {
+#pragma warning disable CS0618 // Type or member is obsolete
             AuthenticationResult result = await pca.AcquireTokenSilent(
                 TestConstants.s_scope.ToArray(),
                 TestConstants.DisplayableId)
                 .WithAuthority(pca.Authority, false)
                 .ExecuteAsync()
                 .ConfigureAwait(false);
+#pragma warning restore CS0618 // Type or member is obsolete
 
             Assert.IsNotNull(result);
             Assert.AreEqual(TokenSource.Cache, result.AuthenticationResultMetadata.TokenSource);

diff --git a/tests/Microsoft.Identity.Test.Unit/PublicApiTests/AcquireTokenSilentTests.cs b/tests/Microsoft.Identity.Test.Unit/PublicApiTests/AcquireTokenSilentTests.cs
@@ -697,7 +697,7 @@ public async Task AcquireTokenSilent_OverrideWithCommon_Async()
 #pragma warning disable CS0618 // Type or member is obsolete
                 AuthenticationResult result = await app
                     .AcquireTokenSilent(TestConstants.s_scope, acc)
-                    .WithAuthority(ClientApplicationBase.DefaultAuthority) // this override should do nothing, it's mean to specify a tenant id
+                    .WithAuthority(ApplicationBase.DefaultAuthority) // this override should do nothing, it's mean to specify a tenant id
 #pragma warning restore CS0618 // Type or member is obsolete
                     .ExecuteAsync().ConfigureAwait(false);
             }