Skip to content

Surface MSAL AuthenticationResultMetadata + exception details on AcquireTokenResult#3856

Merged
neha-bhargava merged 4 commits into
masterfrom
nebharg/metadata-surface-poc
Jun 19, 2026
Merged

Surface MSAL AuthenticationResultMetadata + exception details on AcquireTokenResult#3856
neha-bhargava merged 4 commits into
masterfrom
nebharg/metadata-surface-poc

Conversation

@neha-bhargava

@neha-bhargava neha-bhargava commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Summary

Populates AcquireTokenResult.Metadata from MSAL's AuthenticationResultMetadata so downstream consumers see structured success diagnostics. MSAL → TokenAcquisitionFailureDetails mapping lives in MISE's HeaderCreationErrorFactory, not here.

What's proposed

  • AcquireTokenResultFactory.FromMsal — consolidates AcquireTokenResult construction across the three pre-existing call sites into a single canonical mapping. Eliminates drift between sites and makes future MSAL surface additions a one-file change.

  • Metadata mappingAuthenticationResult.AuthenticationResultMetadataTokenAcquisitionMetadata; AuthenticationResult.AdditionalResponseParametersAcquireTokenResult.AdditionalResponseParameters.

  • Enum casts — MSAL TokenSource, CacheRefreshReason, CacheLevel, and RegionOutcome are cast directly to their Abstractions counterparts (numeric lockstep). AcquireTokenResultFactoryEnumRoundTripTests pins the contract per-member so a future MSAL renumber fails loudly.

Compatibility

Production src builds 0/0 across all TFMs. 942/946 net9.0 unit tests pass (4 skipped — environment-gated, pre-existing).

References

Consolidates the three AcquireTokenResult construction sites
(TokenAcquirer user path, TokenAcquirer app path, TokenAcquisition
auth-code path) into a single AcquireTokenResultFactory.FromMsal
helper that populates the new Microsoft.Identity.Abstractions
TokenAcquisitionMetadata: token source, cache level/refresh reason,
endpoint, durations, refresh hint, region details, and any
additional response parameters.
… fork + add enum round-trip suite (20 cases)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@neha-bhargava neha-bhargava changed the title [POC] Surface MSAL AuthenticationResultMetadata + exception details on AcquireTokenResult Surface MSAL AuthenticationResultMetadata + exception details on AcquireTokenResult Jun 15, 2026
@neha-bhargava neha-bhargava marked this pull request as ready for review June 15, 2026 18:07
@neha-bhargava neha-bhargava requested a review from a team as a code owner June 15, 2026 18:07

@gladjohn gladjohn left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good, can re-approve once abstractions is out

@neha-bhargava neha-bhargava merged commit 827b5e3 into master Jun 19, 2026
4 checks passed
@neha-bhargava neha-bhargava deleted the nebharg/metadata-surface-poc branch June 19, 2026 21:38
github-actions Bot pushed a commit to EelcoLos/nx-tinkering that referenced this pull request Jun 30, 2026
Pinned
[Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web)
at 4.11.0.

<details>
<summary>Release notes</summary>

_Sourced from [Microsoft.Identity.Web's
releases](https://github.com/AzureAD/microsoft-identity-web/releases)._

## 4.11.0

## What's Changed
* Bump vitest from 3.2.4 to 4.1.0 in
/tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in
AzureAD/microsoft-identity-web#3836
* Bump MSAL.NET to 4.84.2 and align OWIN binding redirects by @​gladjohn
with @​Copilot in
AzureAD/microsoft-identity-web#3844
* docs(design): devex proposal for mTLS PoP on Managed Identity and FIC
by @​gladjohn in
AzureAD/microsoft-identity-web#3832
* Prevent OpenIdConnectMiddlewareDiagnostics from logging sensitive
values by @​iarekk in
AzureAD/microsoft-identity-web#3850
* Add MSI mTLS PoP support: pure MI + FIC-with-MI (impl for devex
#​3832) by @​gladjohn in
AzureAD/microsoft-identity-web#3839
* docs(design): devex proposal for Bearer tokens with bound credentials
by @​gladjohn in
AzureAD/microsoft-identity-web#3833
* Add bound-credential support for Bearer tokens (cert + mTLS) by
@​gladjohn in
AzureAD/microsoft-identity-web#3835
* Upgrade IdWeb Sidecar to .NET 10 (LTS) by @​soodt in
AzureAD/microsoft-identity-web#3841
* MTLS Without Tokens Support - MicrosoftIdentityMessageHandler Support
by @​tlupes in
AzureAD/microsoft-identity-web#3815
* fix: include isTokenBinding in CCA cache key to prevent bearer/PoP
collision by @​gladjohn in
AzureAD/microsoft-identity-web#3867
* Test + doc: x-ms-tokenboundauth header for AKV mTLS PoP via
ExtraHeaderParameters by @​gladjohn in
AzureAD/microsoft-identity-web#3864
* Add mTLS PoP Copilot skill (certificate, MSI, FIC) by @​gladjohn in
AzureAD/microsoft-identity-web#3872
* Fix CVE-2026-48109: Pin MessagePack to patched version 2.5.301 by
@​soodt in AzureAD/microsoft-identity-web#3865
* Sidecar: gate agent identity parameters behind AllowOverrides by
@​iNinja in AzureAD/microsoft-identity-web#3871
* Bump System.Formats.Asn1 base version to 10.0.2 by @​iarekk in
AzureAD/microsoft-identity-web#3875
* Bump Microsoft.IdentityModel.* from 8.18.0 to 8.19.1 by @​iarekk in
AzureAD/microsoft-identity-web#3879
* Use IIdentityLogger for MSAL logging in TokenAcquisition and
ManagedIdentityClientAssertion (#​3820) by @​neha-bhargava in
AzureAD/microsoft-identity-web#3880
* Update Microsoft.Identity.Abstractions to 12.2.0 and MSAL to 4.85.0 by
@​neha-bhargava in
AzureAD/microsoft-identity-web#3881
* Surface MSAL AuthenticationResultMetadata + exception details on
AcquireTokenResult by @​neha-bhargava in
AzureAD/microsoft-identity-web#3856
* Flow outgoing request to header providers via AcquireTokenOptions by
@​neha-bhargava in
AzureAD/microsoft-identity-web#3876
* Throw on Authority vs Instance/TenantId conflict (OIDC + MSAL parity)
by @​iarekk in
AzureAD/microsoft-identity-web#3873
* Delete .github/workflows/evergreen.yml by @​bgavrilMS in
AzureAD/microsoft-identity-web#3803
* Add comprehensive authority configuration and precedence documentation
by @​jmprieur with @​Copilot in
AzureAD/microsoft-identity-web#3617
* Bump js-yaml from 4.1.1 to 4.2.0 in
/tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in
AzureAD/microsoft-identity-web#3862
* Move authority docs into docs/authority-configuration/ subfolder by
@​iarekk in AzureAD/microsoft-identity-web#3885
* Revert "Throw on Authority vs Instance/TenantId conflict (#​3873)" by
@​iarekk in AzureAD/microsoft-identity-web#3888
* Update Microsoft.Identity.Client to 4.85.1 by @​neha-bhargava in
AzureAD/microsoft-identity-web#3889
* Enable E2E test coverage on internal Azure DevOps pipelines by
@​gladjohn in
AzureAD/microsoft-identity-web#3883
* Bump esbuild and tsx in /tests/DevApps/SidecarAdapter/typescript by
@​dependabot[bot] in
AzureAD/microsoft-identity-web#3859
* Skip AcquireTokenWithMtlsPop test: AAD westus3 test slice returns
Bearer by @​neha-bhargava in
AzureAD/microsoft-identity-web#3892

## New Contributors
* @​iarekk made their first contribution in
AzureAD/microsoft-identity-web#3850
* @​soodt made their first contribution in
AzureAD/microsoft-identity-web#3841

**Full Changelog**:
AzureAD/microsoft-identity-web@4.10.0...4.11.0

Commits viewable in [compare
view](AzureAD/microsoft-identity-web@4.10.0...4.11.0).
</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This was referenced Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants