diff --git a/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml b/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml
index 32bcf584f..2e915d04e 100644
--- a/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml
+++ b/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml
@@ -4,183 +4,6 @@
Microsoft.Identity.Web
-
-
- Extension methods for .
-
-
-
-
- Creates the from the values found
- in an .
-
- The instance.
- A built from .
-
-
-
- Extension methods related to App Services authentication (Easy Auth).
-
-
-
-
- Add authentication with App Services.
-
- Authentication builder.
- The builder, to chain commands.
-
-
-
- Default values related to AppServiceAuthentication handler.
-
-
-
-
- The default value used for AppServiceAuthenticationOptions.AuthenticationScheme.
-
-
-
-
- App service authentication handler.
-
-
-
-
- Constructor for the AppServiceAuthenticationHandler.
- Note the parameters are required by the base class.
-
- App service authentication options.
- Logger factory.
- URL encoder.
- System clock.
-
-
-
-
-
-
- Information about the App Services configuration on the host.
-
-
-
-
- Is App Services authentication enabled?.
-
-
-
-
- Logout URL for App Services Auth web sites.
-
-
-
-
- ClientID of the App Services Auth web site.
-
-
-
-
- Client secret of the App Services Auth web site.
-
-
-
-
- Issuer of the App Services Auth web site.
-
-
-
-
- Get headers from environment to help debugging App Services authentication.
-
-
-
-
- Options for Azure App Services authentication.
-
-
-
-
- Implementation of ITokenAcquisition for App Services authentication (EasyAuth).
-
-
-
-
- Constructor of the AppServicesAuthenticationTokenAcquisition.
-
- The App token cache provider.
- Access to the HttpContext of the request.
- HTTP client factory.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Filter used on a controller action to trigger incremental consent.
-
-
- The following controller action will trigger.
-
- [AuthorizeForScopes(Scopes = new[] {"Mail.Send"})]
- public async Task<IActionResult> SendEmail()
- {
- }
-
-
-
-
-
- Scopes to request.
-
-
-
-
- Key section on the configuration file that holds the scope value.
-
-
-
-
- Azure AD B2C user flow.
-
-
-
-
- Allows specifying an AuthenticationScheme if OpenIdConnect is not the default challenge scheme.
-
-
-
-
- Handles the .
-
- Context provided by ASP.NET Core.
-
-
-
- Finds an MsalUiRequiredException in one of the inner exceptions.
-
- Exception from which we look for an MsalUiRequiredException.
- The MsalUiRequiredException if there is one, null, otherwise.
-
-
-
- Extensions for .
-
-
-
-
- Enables an Azure Function to act as/expose a protected web API, enabling bearer token authentication. Calling this method from your Azure function validates the token and exposes the identity of the user or app on behalf of which your function is called, in the HttpContext.User member, where your function can make use of it.
-
- The current HTTP Context, such as req.HttpContext.
- A task indicating success or failure. In case of failure .
-
Description of a certificate.
@@ -429,115 +252,6 @@
Description of the certificate.
-
-
- Extensions for .
-
-
-
-
- Gets the account identifier for an MSAL.NET account from a .
-
- Claims principal.
- A string corresponding to an account identifier as defined in .
-
-
-
- Gets the unique object ID associated with the .
-
- The from which to retrieve the unique object ID.
- This method returns the object ID both in case the developer has enabled or not claims mapping.
- Unique object ID of the identity, or null if it cannot be found.
-
-
-
- Gets the Tenant ID associated with the .
-
- The from which to retrieve the tenant ID.
- Tenant ID of the identity, or null if it cannot be found.
- This method returns the tenant ID both in case the developer has enabled or not claims mapping.
-
-
-
- Gets the login-hint associated with a .
-
- Identity for which to complete the login-hint.
- The login hint for the identity, or null if it cannot be found.
-
-
-
- Gets the domain-hint associated with an identity.
-
- Identity for which to compute the domain-hint.
- The domain hint for the identity, or null if it cannot be found.
-
-
-
- Get the display name for the signed-in user, from the .
-
- Claims about the user/account.
- A string containing the display name for the user, as determined by Azure AD (v1.0) and Microsoft identity platform (v2.0) tokens,
- or null if the claims cannot be found.
- See https://docs.microsoft.com/azure/active-directory/develop/id-tokens#payload-claims.
-
-
-
- Gets the user flow ID associated with the .
-
- The from which to retrieve the user flow ID.
- User flow ID of the identity, or null if it cannot be found.
-
-
-
- Gets the Home Object ID associated with the .
-
- The from which to retrieve the sub claim.
- Home Object ID (sub) of the identity, or null if it cannot be found.
-
-
-
- Gets the Home Tenant ID associated with the .
-
- The from which to retrieve the sub claim.
- Home Tenant ID (sub) of the identity, or null if it cannot be found.
-
-
-
- Gets the NameIdentifierId associated with the .
-
- The from which to retrieve the NameIdentifierId claim.
- Name identifier ID of the identity, or null if it cannot be found.
-
-
-
- Factory class to create objects.
-
-
-
-
- Instantiate a from an account object ID and tenant ID. This can
- be useful when the web app subscribes to another service on behalf of the user
- and then is called back by a notification where the user is identified by their tenant
- ID and object ID (like in Microsoft Graph Web Hooks).
-
- Tenant ID of the account.
- Object ID of the account in this tenant ID.
- A containing these two claims.
-
-
-
- private async Task GetChangedMessagesAsync(IEnumerable<Notification> notifications)
- {
- foreach (var notification in notifications)
- {
- SubscriptionStore subscription =
- subscriptionStore.GetSubscriptionInfo(notification.SubscriptionId);
- HttpContext.User = ClaimsPrincipalExtension.FromTenantIdAndObjectId(subscription.TenantId,
- subscription.UserId);
- string accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);
-
-
-
Constants for claim types.
@@ -697,47 +411,326 @@
Constants related to the log messages.
-
+
- Extension class containing cookie policies (work around for same site).
+ Extension class used to add distributed token cache serializer to MSAL.
+ See https://aka.ms/ms-id-web/token-cache-serialization for details.
-
+
+ Adds the .NET Core distributed cache based app token cache to the service collection.
+ The services collection to add to.
+ A to chain.
+
+
- Handles SameSite cookie issue according to the https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1.
- The default list of user agents that disallow "SameSite=None",
- was taken from https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/.
+ An implementation of the token cache for both Confidential and Public clients backed by a Distributed Cache.
+ The Distributed Cache (L2), by default creates a Memory Cache (L1), for faster look up, resulting in a two level cache.
- to update.
- to chain.
+ https://aka.ms/msal-net-token-cache-serialization
-
+
- Handles SameSite cookie issue according to the docs: https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
- The default list of user agents that disallow "SameSite=None", was taken from https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/.
+ .NET Core Memory cache.
- to update.
- If you don't want to use the default user agent list implementation,
- the method sent in this parameter will be run against the user agent and if returned true, SameSite value will be set to Unspecified.
- The default user agent list used can be found at: https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/.
- to chain.
-
+
- Checks if the specified user agent supports "SameSite=None" cookies.
+ MSAL distributed token cache options.
- Browser user agent.
-
- Incompatible user agents include:
-
- - Versions of Chrome from Chrome 51 to Chrome 66 (inclusive on both ends).
- - Versions of UC Browser on Android prior to version 12.13.2.
- - Versions of Safari and embedded browsers on MacOS 10.14 and all browsers on iOS 12.
-
- Reference: https://www.chromium.org/updates/same-site/incompatible-clients.
-
- True, if the user agent does not allow "SameSite=None" cookie; otherwise, false.
+
+
+ Initializes a new instance of the class.
+
+ Distributed cache instance to use.
+ Options for the token cache.
+ MsalDistributedTokenCacheAdapter logger.
+
+
+
+ Removes a specific token cache, described by its cache key
+ from the distributed cache.
+
+ Key of the cache to remove.
+ A that completes when key removal has completed.
+
+
+
+ Read a specific token cache, described by its cache key, from the
+ distributed cache.
+
+ Key of the cache item to retrieve.
+ Read blob representing a token cache for the cache key
+ (account or app).
+
+
+
+ Writes a token cache blob to the serialization cache (by key).
+
+ Cache key.
+ blob to write.
+ A that completes when a write operation has completed.
+
+
+
+ Options for the MSAL token cache serialization adapter,
+ which delegates the serialization to the IDistributedCache implementations
+ available with .NET Core.
+
+
+
+
+ In memory (L1) cache size limit in Mb.
+ Default is 500 Mb.
+
+
+
+
+ Value more than 0, less than 1, to set the In Memory (L1) cache
+ expiration time values relative to the Distributed (L2) cache.
+ Default is 1.
+
+
+
+
+ MSAL token cache provider interface.
+
+
+
+
+ Initializes a token cache (which can be a user token cache or an app token cache).
+
+ Token cache for which to initialize the serialization.
+ A that represents a completed initialization operation.
+
+
+
+ Clear the user token cache.
+
+ HomeAccountId for a user account in the cache.
+ A that represents a completed clear operation.
+
+
+
+ Extension class used to add an in-memory token cache serializer to MSAL.
+
+
+
+ Adds both the app and per-user in-memory token caches.
+ The services collection to add to.
+ the services (for chaining).
+
+
+
+ MSAL's in-memory token cache options.
+
+
+
+ Initializes a new instance of the class.
+ By default, the sliding expiration is set for 14 days.
+
+
+
+ Gets or sets the value of the duration after which the cache entry will expire unless it's used
+ This is the duration the tokens are kept in memory cache.
+ In production, a higher value, up-to 90 days is recommended.
+
+
+ The AbsoluteExpirationRelativeToNow value.
+
+
+
+
+ An implementation of token cache for both Confidential and Public clients backed by MemoryCache.
+
+ https://aka.ms/msal-net-token-cache-serialization
+
+
+
+ .NET Core Memory cache.
+
+
+
+
+ MSAL memory token cache options.
+
+
+
+
+ Constructor.
+
+ serialization cache.
+ Memory cache options.
+
+
+
+ Removes a token cache identified by its key, from the serialization
+ cache.
+
+ token cache key.
+ A that completes when key removal has completed.
+
+
+
+ Reads a blob from the serialization cache (identified by its key).
+
+ Token cache key.
+ Read Bytes.
+
+
+
+ Writes a token cache blob to the serialization cache (identified by its key).
+
+ Token cache key.
+ Bytes to write.
+ A that completes when a write operation has completed.
+
+
+
+ Token cache provider with default implementation.
+
+
+
+
+
+ Initializes the token cache serialization.
+
+ Token cache to serialize/deserialize.
+ A that represents a completed initialization operation.
+
+
+
+ Raised AFTER MSAL added the new token in its in-memory copy of the cache.
+ This notification is called every time MSAL accesses the cache, not just when a write takes place:
+ If MSAL's current operation resulted in a cache change, the property TokenCacheNotificationArgs.HasStateChanged will be set to true.
+ If that is the case, we call the TokenCache.SerializeMsalV3() to get a binary blob representing the latest cache content – and persist it.
+
+ Contains parameters used by the MSAL call accessing the cache.
+
+
+
+ if you want to ensure that no concurrent write takes place, use this notification to place a lock on the entry.
+
+ Token cache notification arguments.
+ A that represents a completed operation.
+
+
+
+ Clear the cache.
+
+ HomeAccountId for a user account in the cache.
+ A that represents a completed clear operation.
+
+
+
+ Method to be implemented by concrete cache serializers to write the cache bytes.
+
+ Cache key.
+ Bytes to write.
+ A that represents a completed write operation.
+
+
+
+ Method to be implemented by concrete cache serializers to Read the cache bytes.
+
+ Cache key.
+ Read bytes.
+
+
+
+ Method to be implemented by concrete cache serializers to remove an entry from the cache.
+
+ Cache key.
+ A that represents a completed remove key operation.
+
+
+
+ Utility methods used by L1/L2 cache.
+
+
+
+
+ Extensions for .
+
+
+
+
+ Gets the account identifier for an MSAL.NET account from a .
+
+ Claims principal.
+ A string corresponding to an account identifier as defined in .
+
+
+
+ Gets the unique object ID associated with the .
+
+ The from which to retrieve the unique object ID.
+ This method returns the object ID both in case the developer has enabled or not claims mapping.
+ Unique object ID of the identity, or null if it cannot be found.
+
+
+
+ Gets the Tenant ID associated with the .
+
+ The from which to retrieve the tenant ID.
+ Tenant ID of the identity, or null if it cannot be found.
+ This method returns the tenant ID both in case the developer has enabled or not claims mapping.
+
+
+
+ Gets the login-hint associated with a .
+
+ Identity for which to complete the login-hint.
+ The login hint for the identity, or null if it cannot be found.
+
+
+
+ Gets the domain-hint associated with an identity.
+
+ Identity for which to compute the domain-hint.
+ The domain hint for the identity, or null if it cannot be found.
+
+
+
+ Get the display name for the signed-in user, from the .
+
+ Claims about the user/account.
+ A string containing the display name for the user, as determined by Azure AD (v1.0) and Microsoft identity platform (v2.0) tokens,
+ or null if the claims cannot be found.
+ See https://docs.microsoft.com/azure/active-directory/develop/id-tokens#payload-claims.
+
+
+
+ Gets the user flow ID associated with the .
+
+ The from which to retrieve the user flow ID.
+ User flow ID of the identity, or null if it cannot be found.
+
+
+
+ Gets the Home Object ID associated with the .
+
+ The from which to retrieve the sub claim.
+ Home Object ID (sub) of the identity, or null if it cannot be found.
+
+
+
+ Gets the Home Tenant ID associated with the .
+
+ The from which to retrieve the sub claim.
+ Home Tenant ID (sub) of the identity, or null if it cannot be found.
+
+
+
+ Gets the NameIdentifierId associated with the .
+
+ The from which to retrieve the NameIdentifierId claim.
+ Name identifier ID of the identity, or null if it cannot be found.
+
+
+
+ber>
Implementation for the downstream web API.
diff --git a/src/Microsoft.Identity.Web/TokenCacheProviders/Distributed/MsalDistributedTokenCacheAdapter.cs b/src/Microsoft.Identity.Web/TokenCacheProviders/Distributed/MsalDistributedTokenCacheAdapter.cs
index 1768db80a..efb6dc991 100644
--- a/src/Microsoft.Identity.Web/TokenCacheProviders/Distributed/MsalDistributedTokenCacheAdapter.cs
+++ b/src/Microsoft.Identity.Web/TokenCacheProviders/Distributed/MsalDistributedTokenCacheAdapter.cs
@@ -74,8 +74,15 @@ protected override async Task RemoveKeyAsync(string cacheKey)
_memoryCache.Remove(cacheKey);
_logger.LogDebug($"[IdWebCache] MemoryCache: Remove cacheKey {cacheKey} Time in Ticks: {Utility.Watch.Elapsed.Ticks - startTicks}. ");
- await _distributedCache.RemoveAsync(cacheKey).ConfigureAwait(false);
- _logger.LogDebug($"[IdWebCache] DistributedCache: Remove cacheKey {cacheKey} Time in Ticks: {Utility.Watch.Elapsed.Ticks - startTicks}. ");
+ try
+ {
+ await _distributedCache.RemoveAsync(cacheKey).ConfigureAwait(false);
+ _logger.LogDebug($"[IdWebCache] DistributedCache: Remove cacheKey {cacheKey} Time in Ticks: {Utility.Watch.Elapsed.Ticks - startTicks}. ");
+ }
+ catch (Exception ex)
+ {
+ _logger.LogError($"[IdWebCache] Connection issue encountered with Distributed cache. Currently using In Memory cache only. Error message: {ex.Message} ");
+ }
}
///
@@ -96,8 +103,15 @@ protected override async Task ReadCacheBytesAsync(string cacheKey)
if (result == null)
{
// not found in memory, check distributed cache
- result = await _distributedCache.GetAsync(cacheKey).ConfigureAwait(false);
- _logger.LogDebug($"[IdWebCache] DistributedCache read: No result in memory, distributed cache result - Byte size: {result?.Length}. ");
+ try
+ {
+ result = await _distributedCache.GetAsync(cacheKey).ConfigureAwait(false);
+ _logger.LogDebug($"[IdWebCache] DistributedCache read: No result in memory, distributed cache result - Byte size: {result?.Length}. ");
+ }
+ catch (Exception ex)
+ {
+ _logger.LogError($"[IdWebCache] Connection issue encountered with Distributed cache. Currently using In Memory cache only. Error message: {ex.Message} ");
+ }
// back propagate to memory cache
if (result != null)
@@ -141,8 +155,15 @@ protected override async Task WriteCacheBytesAsync(string cacheKey, byte[] bytes
_logger.LogDebug($"[IdWebCache] MemoryCache: Write cacheKey {cacheKey} Byte size: {bytes?.Length} Time in Ticks: {Utility.Watch.Elapsed.Ticks - startTicks}. ");
_logger.LogDebug($"[IdWebCache] MemoryCache: Count: {_memoryCache.Count}");
- await _distributedCache.SetAsync(cacheKey, bytes, _distributedCacheOptions).ConfigureAwait(false);
- _logger.LogDebug($"[IdWebCache] DistributedCache: Write cacheKey {cacheKey} Byte size {bytes?.Length} Time in Ticks: {Utility.Watch.Elapsed.Ticks - startTicks}. ");
+ try
+ {
+ await _distributedCache.SetAsync(cacheKey, bytes, _distributedCacheOptions).ConfigureAwait(false);
+ _logger.LogDebug($"[IdWebCache] DistributedCache: Write cacheKey {cacheKey} Byte size {bytes?.Length} Time in Ticks: {Utility.Watch.Elapsed.Ticks - startTicks}. ");
+ }
+ catch (Exception ex)
+ {
+ _logger.LogError($"[IdWebCache] Connection issue encountered with Distributed cache. Currently using In Memory cache only. Error message: {ex.Message} ");
+ }
}
}
}