Bump Microsoft.Identity.Client from 4.10.0 to 4.13.0 in /src/02-Corporate

[dependabot-preview]

Bumps Microsoft.Identity.Client from 4.10.0 to 4.13.0.

Release notes

Sourced from Microsoft.Identity.Client's releases.

4.13.0

New Features

Client throttling is supported in Public Client Applications MSAL will now implement client side throttling to reduce excessive authentication requests sent to the service: In the case where the Azure AD service replies with an HTTP error implying throttling, MSAL.NET now respects itself the delay imposed by the service by throwing an exception telling the application after which delay/when it will be able to acquire a token again without even attempting to call the service. For details see Issue for details

MSAL now can perform device authentication on Desktop On Operating systems prior to Windows 10 (Windows 7, 8, 8.1 and their server conterparts) MSAL.NET is able to perform device authentication using PKey Authentication. Issue for details

Bug Fixes

MSAL .NET would throw a null ref when no authentication type was specified when creating a confidential client application MSAL .NET now verifies the developer has specified one client credential (client secret, certificate, or client assertion) when using a confidential client application. See Issue for details

MSAL.NET 4.12.0

New Features:

Integrated Windows Auth available on .NET Core on Windows without username. On .NET Core, for the Windows platforms, AcquireTokenByIntegratedWindowsAuthAsync(scopes) works without passing the username.

The scope parameter is now less strict in some of the AcquireTokenXXX methods. MSAL now allows developers to call AcquireToken* methods without scopes. MSAL continues to ask for "offline_access", "profile" and "openid" scopes, which makes token providers (AAD B2B, AAD B2C, ADFS) return Id Tokens, which contain user metadata. Some token providers continue to issue access tokens, which can be used to access the UserInfo metadata endpoint. Issue

Bug fixes:

Fix potential cache consistency issues in multi-threaded environment. Synchronize token cache to avoid cache inconsistency where token cache is shared with many environments.

Fix null reference exception thrown by AcquireTokenForClient when using a cert in .cer format / without a private key. Issue

Fix the spelling in API WithInstanceDicoveryMetadata. Marked the WithInstanceDicovery as deprecated and added WithInstanceDiscoveryMetadata to fix the spelling.

Fix MsalClientException UserMismatchSaveToken sometimes thrown in web apps. Fix the scenario where in web app / web api scenarios where a token cache was shared across multiple users, MSAL would sometimes throw an MsalClientException.

MSAL.NET 4.11.0

4.11.0

New Features:

• MSAL.NET will now remove accounts from the cache that have expired refresh tokens. MSAL.NET will remove both the refresh token and the associated account if the suberror is "bad_token" to avaoid unnecessary calls to AzureAD. Issue

• MSAL.NET uses telemetry schema V2 MSAL.NET has been updated to use Http telemetry schema V2. Issue

Bug Fixes:

• When migrating a Xamarin application from ADAL.NET to MSAL.NET and preserving the keychain, a CryptographicException can be thrown from the BrokerKeyHelper. MSAL.NET now does the broker key keychain look up by Service and Account only. Issue

• WithProofOfPosession produces a token of type POP when it is expected to be PoP MSAl.NET will now produce a token of type PoP when WithProofOfPosession() is used. Issue

Changelog

Sourced from Microsoft.Identity.Client's changelog.

4.13.0

New Features:

Client throttling is supported in Public Client Applications MSAL will now implement client side throttling to reduce excessive authentication requests sent to the service: In the case where the Azure AD service replies with an HTTP error implying throttling, MSAL.NET now respects itself the delay imposed by the service by throwing an exception telling the application after which delay/when it will be able to acquire a token again without even attempting to call the service. For details see Issue for details

MSAL now can perform device authentication on Desktop On Operating systems prior to Windows 10 (Windows 7, 8, 8.1 and their server conterparts) MSAL.NET is able to perform device authentication using PKey Authentication. Issue for details

Bug Fixes:

MSAL .NET would throw a null ref when no authentication type was specified when creating a confidential client application MSAL .NET now verifies the developer has specified one client credential (client secret, certificate, or client assertion) when using a confidential client application. See Issue for details

GetAccountsAsync() used to return 0 accounts when the broker was not installed (on Xamarin.Android). MSAL will now return accounts from the local MSAL cache when the broker is not installed and WithBroker(trus) is used. Issue for details

4.12.0

New Features:

Integrated Windows Auth available on .NET Core on Windows without username. On .NET Core, for the Windows platforms, AcquireTokenByIntegratedWindowsAuthAsync(scopes) works without passing the username.

The scope parameter is now less strict in some of the AcquireTokenXXX methods. MSAL now allows developers to call AcquireToken* methods without scopes. MSAL continues to ask for "offline_access", "profile" and "openid" scopes, which makes token providers (AAD B2B, AAD B2C, ADFS) return Id Tokens, which contain user metadata. Some token providers continue to issue access tokens, which can be used to access the UserInfo metadata endpoint. Issue

Bug fixes:

Fix potential cache consistency issues in multi-threaded environment. Synchronize token cache to avoid cache inconsistency where token cache is shared with many environments.

Fix null reference exception thrown by AcquireTokenForClient when using a cert in .cer format / without a private key. Issue

Fix the spelling in API WithInstanceDicoveryMetadata. Marked the WithInstanceDicovery as deprecated and added WithInstanceDiscoveryMetadata to fix the spelling.

Fix MsalClientException UserMismatchSaveToken sometimes thrown in web apps. Fix the scenario where in web app / web api scenarios where a token cache was shared across multiple users, MSAL would sometimes throw an MsalClientException.

4.11.0

New Features:

MSAL.NET will now remove accounts from the cache that have expired refresh tokens. MSAL.NET will remove both the refresh token and the associated account if the suberror is "bad_token" to avaoid unnecessary calls to AzureAD. Issue

MSAL.NET uses telemetry schema V2 MSAL.NET has been updated to use Http telemetry schema V2. Issue

Bug Fixes:

When migrating a Xamarin application from ADAL.NET to MSAL.NET and preserving the keychain, a CryptographicException can be thrown from the BrokerKeyHelper. MSAL.NET now does the broker key keychain look up by Service and Account only. Issue

WithProofOfPosession produces a token of type POP when it is expected to be PoP MSAl.NET will now produce a token of type PoP when WithProofOfPosession() is used. Issue

Commits

• e9111f5 Fix public API before release (#1800)
• b84322c Changelog for 4.13.0 (#1799)
• 2e62912 Allowing android broker flow to return accounts from local MSAL cache when br...
• 1409444 fix enum default value for ConfidentialClientAuthenticationType (#1794)
• 9c9d4b4 Move codeql.yml workflow file one directory up (#1790)
• 7caa2d6 Add CodeQL Analysis workflow (#1789)
• 920e72c Migration of PKeyAuth to MSAL (#1567)
• 189b594 Client-Side throttling - Retry-After and HttpStatus rules (#1774)
• 4fb5cf2 Fix flaky unit tests (#1783)
• d1d814e Update changelog.txt (#1780)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #53.