chore(deps): update dependency microsoft.identity.client.extensions.msal to 4.84.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
Microsoft.Identity.Client.Extensions.Msal (source)	4.78.0 → 4.84.1

---

Release Notes

AzureAD/microsoft-authentication-library-for-dotnet (Microsoft.Identity.Client.Extensions.Msal)

v4.84.1

Compare Source

What's Changed

New Features

• Added WithReservedScopes and WithCachePartitionKey public API extensions in #​6014
• Added IAuthenticationOperation3 interface for CDT + mTLS PoP composition in #​5996
• Added MsalRemainingTokenLifetime histogram metric for token expiry tracking in #​5920

Changes

• Removed [Obsolete] attribute from WithExtraBodyParameters extension method in #​6006
• Replaced ConcurrentHashSet with ConcurrentDictionary<T, byte> in #​5975

Bug Fixes

• Fixed WithTenantId not honoring MSA tenant GUID when specified at request level in #​5958
• Fixed OBO cache returning multiple_matching_tokens_detected when attributed tokens share a partition in #​5993

Full Changelog: AzureAD/microsoft-authentication-library-for-dotnet@6ff7075...main (AzureAD/microsoft-authentication-library-for-dotnet@6ff7075...main)

v4.84.0

Compare Source

======

New Features

• Added CacheOptions.DisableInternalCacheOptions static property and CacheOptions.IsInternalCacheDisabled to allow disabling MSAL's internal token cache. Added CacheRefreshReason.CacheDisabled and MsalError.InternalCacheDisabled to support this scenario. #​5947
• Added AuthenticationResultExtensions.GetRefreshToken() extension method for accessing refresh tokens from AuthenticationResult. #​5947
• Added WithAttributeTokens and WithExtraBodyParameters extension methods on AbstractConfidentialClientAcquireTokenParameterBuilder for enhanced extensibility. #​5888
• Added CertificateOptions.SendCertificateOverMtls for mTLS Proof-of-Possession certificate support. #​5849
• Added AssertionRequestOptions.CorrelationId property for correlation ID support in FIC assertion requests. #​5937

Changes

• Removed experimental feature gate from WithClientAssertion(ClientSignedAssertion) overload. #​5945
• Removed embedded Newtonsoft.Json dependency, migrated to System.Text.Json exclusively. #​5959
• Removed mTLS PoP region as a hard requirement. #​5902
• Refactored client credential material resolution. #​5835
• Added in-process MAA token caching to PopKeyAttestor. #​5887
• Added raw STS error code to MsalFailure metric. #​5961
• Support forwarding MSAL client metadata headers through IMDS to ESTS. #​5912

Bug Fixes

• Fixed eager evaluation in ConcurrentDictionary.GetOrAdd calls. #​5950
• Fixed System.ValueTuple conditional dependency to net462 only. #​5894
• Validated clientSignedAssertionProvider delegate is non-null in WithClientAssertion. #​5956
• Improved MtlsPopTokenNotSupportedinImdsV1 error message clarity. #​5908
• Added additional checks for issuer validation. #​5931

v4.83.3

Compare Source

======

New Features

• Added support for User Federated Identity Credential (UserFIC) scenarios through the IByUserFederatedIdentityCredential interface and user_fic grant type. #​5802

Changes

• Updated NativeInterop to version 0.20.3. #​5866

Bug Fixes

• Fixed response handling in HttpListenerInterceptor.cs to ensure the full response is properly closed. #​5478
• Fixed macOS detection to include maccatalyst target in desktop platform checks.#​5882

Infrastructure & Dependencies

• Extracted reusable MSAL test infrastructure into Microsoft.Identity.Lab.API. #​5864

v4.83.1

Compare Source

======

Bug Fixes

• Fix IMDS endpoint cache not being reset during test cleanup #​5830

v4.83.0

Compare Source

======

New Features

• Agent Skills: Added Agent Skills catalog with complete coverage of both Confidential Client Authentication and mTLS PoP flows #​5733
• mTLS PoP Skills Guide: Added comprehensive guide for GitHub Copilot Chat covering MSAL.NET authentication, mTLS Proof of Possession, and Federated Identity Credentials #​5790

Changes

• Credential Guard Attestation: Integrated native DLL handling for Credential Guard attestation with centralized versioning #​5674

Bug Fixes

• IMDSv2 mTLS Auto-Recovery: Implemented automatic recovery from SCHANNEL handshake failures by evicting cached certificates and re-minting #​5761
• Managed Identity Fallback Behavior: Restored classic fallback behavior in MSAL MI unless GetManagedIdentitySourceAsync() is explicitly invoked #​5815
• Attestation Token Expiration: Exposed expires_on field in attestation tokens for better token lifecycle management #​5741
• Service Fabric API Version: Updated Service Fabric managed identity API version from 2019-07-01-preview to 2020-05-01 #​5781
• Cached Token Validation: Enhanced ValidateCachedTokenAsync to work properly with multiple APIs beyond the initial scope #​5764
• Client Credentials Tenant ID: Updated result to properly pass tenant ID in client credentials flow #​5754
• Experimental Flag Removal: Removed experimental flag requirement from IAuthenticationOperation and WithAuthenticationExtension #​5699
• OpenTelemetry Exception Handling: Expanded OTel exception handling for Azure Functions compatibility #​5720
• ICustomWebUi Security Warning: Added security warnings to ICustomWebUi documentation #​5704

Infrastructure & Dependencies

• GitHub Actions Workflow: Added GitHub Actions workflow for Managed Identity WebAPI automated build and deployment to Azure #​5751
• .NET SDK Security Update: Updated .NET SDK from version 8.0.415 to 8.0.418 to address high severity security vulnerabilities #​5779 #​5783

v4.82.1

Compare Source

======

Bug Fixes

• Remove experimental flag requirement from IAuthenticationOperation #​5699
• Add security warning to ICustomWebUi documentation #​5704

Changes

• Adds support for implicit mTLS (Mutual TLS) transport for client assertion delegates #​5670

v4.82.0

Compare Source

======

Highlights

This release expands extensibility for confidential-client authentication (certificates + client assertions), adds additional sovereign cloud environments, and hardens security-sensitive flows (mTLS PoP and system browser auth) with clearer validation and safer defaults.

Features

• Certificate-based confidential client extensibility: Introduced CertificateOptions and updated WithCertificate extensibility APIs to accept it, including support for passing sendX5C configuration through the options model. (#​5655)
• Sovereign cloud support: Added instance discovery / authority validation support for Bleu (France), Delos (Germany), and GovSG (Singapore) cloud environments. (#​5671)
• Client assertion customization: Added WithExtraClientAssertionClaims on AcquireTokenForClientParameterBuilder to enable supplying additional signed claims in client assertions (intended for advanced scenarios and higher-level libraries). (#​5650)
• mTLS PoP guardrails: Added validation and explicit error handling when mTLS PoP is requested for unsupported environments and/or non-login.* hosts. (#​5684)
• System browser hardening: Added response_mode=form_post support for the default system browser (loopback) flow. MSAL will enforce form_post and process the authorization response from POST data. (#​5678)

Changes

• Key Attestation packaging rename: Microsoft.Identity.Client.MtlsPop renamed to Microsoft.Identity.Client.KeyAttestation (assembly/package naming update). (#​5653)

v4.81.0

Compare Source

======

Bug Fixes

• Updated the ConfidentialClientApplication's ROPC API to add WithSendX5C() during authentication requests.#​5637

v4.80.0

Compare Source

======

Features

• Added extensibility APIs—WithCertificate, OnMsalServiceFailure, and OnCompletion—to enable callback handling for certificate injection, retry on MSAL service failure events, and completion notifications #​5573
• Extend IAuthenticationOperation interface with Async methods in IAuthenticationOperation2 #​5376
• Enable IAuthenticationOperation2 to reject MSAL cached tokens and fetch new ones from ESTS #​5567

Changes

• IMDS Source Detection Logic Improvement #​5602
• Update DesktopOsHelper.IsMac to work properly on .NET 10 + macOS 26 #​5541

Bug Fixes

• Fix KeyNotFoundException during retry when headers lack correlation ID #​5617
• Implement Service Exception for IMDS Probe #​5615

v4.79.2

What's Changed

• Bump winsdk dependency by @​bgavrilMS in #​5575
• ImdsV2 probe does not fire when .WithMtlsProofOfPossesstion is not used by @​Robbie-Microsoft in #​5579
• Downgrade System.Formats.Asn1 to match ID web by @​Avery-Dunn in #​5583

Full Changelog: AzureAD/microsoft-authentication-library-for-dotnet@4.79.0...4.79.2

v4.79.1

======

Dependency Update

This hotfix release addresses compatibility between MSAL.NET and Microsoft.Identity.Web by downgrading the System.Formats.Asn1 dependency from version 9.0.8 to 8.0.1.

What Changed

• System.Formats.Asn1 downgraded to v8.0.1 (#​5583)
  • Ensures compatibility with Microsoft.Identity.Web and other dependencies

Why This Release

MSAL.NET 4.79.0 introduced a dependency on System.Formats.Asn1 9.0.8, which created version conflicts with Microsoft.Identity.Web and other packages that require System.Formats.Asn1 8.0.1. This hotfix resolves those conflicts to maintain ecosystem compatibility.

v4.79.0

Compare Source

======

Changes

• Managed Identity IMDSv2 and new support APIs (ResetForTest, GetSourceAsync) in #​5501
• Bearer Requests should Fallback to IMDS in Preview in #​5562
• Updating MSAL to send client info = 2 on client credential flow in #​5529
• Make IMsalMtlsHttpClientFactory interface public in #​5559* Adjust WithExtraQueryParameters APIs and cache key behavior #​5536

Bug fixes

• Fix instance discovery bug in Fr cloud #​5549
• Mark WithClientAssertion API as experimental #​5551

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.