Bump MSAL to version 4.79.2 and handle changes to deprecated WithExtraQueryParameters APIs

Directory.Build.props

@@ -83,7 +83,7 @@
 
   <PropertyGroup Label="Common dependency versions">
     <MicrosoftIdentityModelVersion Condition="'$(MicrosoftIdentityModelVersion)' == ''">8.14.0</MicrosoftIdentityModelVersion>
-    <MicrosoftIdentityClientVersion Condition="'$(MicrosoftIdentityClientVersion)' == ''">4.77.1</MicrosoftIdentityClientVersion>
+    <MicrosoftIdentityClientVersion Condition="'$(MicrosoftIdentityClientVersion)' == ''">4.79.1</MicrosoftIdentityClientVersion>
     <MicrosoftIdentityAbstractionsVersion Condition="'$(MicrosoftIdentityAbstractionsVersion)' == ''">9.5.0</MicrosoftIdentityAbstractionsVersion>
     <FxCopAnalyzersVersion>3.3.0</FxCopAnalyzersVersion>
     <SystemTextEncodingsWebVersion>4.7.2</SystemTextEncodingsWebVersion>
@@ -95,7 +95,7 @@
     <!--CVE-2024-43485-->
     <SystemTextJsonVersion>8.0.5</SystemTextJsonVersion>
     <!--CVE-2023-29331-->
-    <SystemFormatsAsn1Version>8.0.1</SystemFormatsAsn1Version>
+    <SystemFormatsAsn1Version>9.0.8</SystemFormatsAsn1Version>
     <BannedApiAnalyzersVersion>4.14.0</BannedApiAnalyzersVersion>
     <PublicApiAnalyzersVersion>4.14.0</PublicApiAnalyzersVersion>
   </PropertyGroup>

src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net10.0/InternalAPI.Unshipped.txt

@@ -1,3 +1,4 @@
 #nullable enable
 const Microsoft.Identity.Web.Constants.UserIdKey = "IDWEB_USER_ID" -> string!
 readonly Microsoft.Identity.Web.TokenAcquisition._certificatesObservers -> System.Collections.Generic.IReadOnlyList<Microsoft.Identity.Web.Experimental.ICertificatesObserver!>!
+static Microsoft.Identity.Web.TokenAcquisition.MergeExtraQueryParameters(Microsoft.Identity.Web.MergedOptions! mergedOptions, Microsoft.Identity.Web.TokenAcquisitionOptions? tokenAcquisitionOptions) -> System.Collections.Generic.Dictionary<string!, (string! value, bool includeInCacheKey)>?

src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net462/InternalAPI.Unshipped.txt

@@ -1 +1,2 @@
 #nullable enable
+static Microsoft.Identity.Web.TokenAcquisition.MergeExtraQueryParameters(Microsoft.Identity.Web.MergedOptions! mergedOptions, Microsoft.Identity.Web.TokenAcquisitionOptions? tokenAcquisitionOptions) -> System.Collections.Generic.Dictionary<string!, (string! value, bool includeInCacheKey)>?

src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net472/InternalAPI.Unshipped.txt

@@ -1 +1,2 @@
 #nullable enable
+static Microsoft.Identity.Web.TokenAcquisition.MergeExtraQueryParameters(Microsoft.Identity.Web.MergedOptions! mergedOptions, Microsoft.Identity.Web.TokenAcquisitionOptions? tokenAcquisitionOptions) -> System.Collections.Generic.Dictionary<string!, (string! value, bool includeInCacheKey)>?

src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net8.0/InternalAPI.Unshipped.txt

@@ -1 +1,2 @@
 #nullable enable
+static Microsoft.Identity.Web.TokenAcquisition.MergeExtraQueryParameters(Microsoft.Identity.Web.MergedOptions! mergedOptions, Microsoft.Identity.Web.TokenAcquisitionOptions? tokenAcquisitionOptions) -> System.Collections.Generic.Dictionary<string!, (string! value, bool includeInCacheKey)>?

src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net9.0/InternalAPI.Unshipped.txt

@@ -1 +1,2 @@
 #nullable enable
+static Microsoft.Identity.Web.TokenAcquisition.MergeExtraQueryParameters(Microsoft.Identity.Web.MergedOptions! mergedOptions, Microsoft.Identity.Web.TokenAcquisitionOptions? tokenAcquisitionOptions) -> System.Collections.Generic.Dictionary<string!, (string! value, bool includeInCacheKey)>?

src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/netstandard2.0/InternalAPI.Unshipped.txt

@@ -1 +1,2 @@
 #nullable enable
+static Microsoft.Identity.Web.TokenAcquisition.MergeExtraQueryParameters(Microsoft.Identity.Web.MergedOptions! mergedOptions, Microsoft.Identity.Web.TokenAcquisitionOptions? tokenAcquisitionOptions) -> System.Collections.Generic.Dictionary<string!, (string! value, bool includeInCacheKey)>?

src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs

@@ -154,7 +154,7 @@ public async Task<AcquireTokenResult> AddAccountToCacheFromAuthorizationCodeAsyn
 
                 if (mergedOptions.ExtraQueryParameters != null)
                 {
-                    builder.WithExtraQueryParameters((Dictionary<string, string>)mergedOptions.ExtraQueryParameters);
+                    builder.WithExtraQueryParameters(MergeExtraQueryParameters(mergedOptions, null));
                 }
 
                 if (!string.IsNullOrEmpty(authCodeRedemptionParameters.Tenant))
@@ -1145,8 +1145,8 @@ private void NotifyCertificateSelection(
                             // Special case when the OBO inbound token is composite (for instance PFT)
                             if (dict.ContainsKey(assertionConstant) && dict.ContainsKey(subAssertionConstant))
                             {
-                                string assertion = dict[assertionConstant];
-                                string subAssertion = dict[subAssertionConstant];
+                                string assertion = dict[assertionConstant].value;
+                                string subAssertion = dict[subAssertionConstant].value;
 
                                 // Check assertion and sub_assertion passed from merging extra query parameters to ensure they do not contain unsupported character(s).
                                 CheckAssertionsForInjectionAttempt(assertion, subAssertion);
@@ -1164,7 +1164,6 @@ private void NotifyCertificateSelection(
                                 dict.Remove(assertionConstant);
                                 dict.Remove(subAssertionConstant);
                             }
-
                             builder.WithExtraQueryParameters(dict);
                         }
                         if (tokenAcquisitionOptions.ExtraHeadersParameters != null)
@@ -1362,25 +1361,40 @@ private Task<AuthenticationResult> GetAuthenticationResultForWebAppWithAccountFr
             return builder.ExecuteAsync(tokenAcquisitionOptions != null ? tokenAcquisitionOptions.CancellationToken : CancellationToken.None);
         }
 
-        internal static Dictionary<string, string>? MergeExtraQueryParameters(
+        internal static Dictionary<string, (string value, bool includeInCacheKey)>? MergeExtraQueryParameters(
             MergedOptions mergedOptions,
-            TokenAcquisitionOptions tokenAcquisitionOptions)
+            TokenAcquisitionOptions? tokenAcquisitionOptions)
         {
-            if (tokenAcquisitionOptions.ExtraQueryParameters != null)
+            // Return null if both sources are empty
+            if (tokenAcquisitionOptions?.ExtraQueryParameters == null && mergedOptions.ExtraQueryParameters == null)
             {
-                var mergedDict = new Dictionary<string, string>(tokenAcquisitionOptions.ExtraQueryParameters);
-                if (mergedOptions.ExtraQueryParameters != null)
+                return null;
+            }
+
+            var mergedDict = new Dictionary<string, (string value, bool includeInCacheKey)>(StringComparer.OrdinalIgnoreCase);
+
+            // Add from tokenAcquisitionOptions first (these take precedence)
+            if (tokenAcquisitionOptions?.ExtraQueryParameters != null)
+            {
+                foreach (var pair in tokenAcquisitionOptions.ExtraQueryParameters)
+                {
+                    mergedDict[pair.Key] = (pair.Value, true);
+                }
+            }
+
+            // Add from mergedOptions without overriding existing keys
+            if (mergedOptions.ExtraQueryParameters != null)
+            {
+                foreach (var pair in mergedOptions.ExtraQueryParameters)
                 {
-                    foreach (var pair in mergedOptions!.ExtraQueryParameters)
+                    if (!mergedDict.ContainsKey(pair.Key))
                     {
-                        if (!mergedDict!.ContainsKey(pair.Key))
-                            mergedDict.Add(pair.Key, pair.Value);
+                        mergedDict.Add(pair.Key, (pair.Value, true));
                     }
                 }
-                return mergedDict;
             }
 
-            return (Dictionary<string, string>?)mergedOptions.ExtraQueryParameters;
+            return mergedDict;
         }
 
         protected static bool AcceptedTokenVersionMismatch(MsalUiRequiredException msalServiceException)

tests/Microsoft.Identity.Web.Test/TokenAcquisitionAuthorityTests.cs

@@ -385,9 +385,9 @@ public void MergeExtraQueryParametersTest()
 
             // Assert
             Assert.Equal(3, mergedDict!.Count);
-            Assert.Equal("newvalue1", mergedDict["key1"]);
-            Assert.Equal("value2", mergedDict["key2"]);
-            Assert.Equal("value3", mergedDict["key3"]);
+            Assert.Equal("newvalue1", mergedDict["key1"].value);
+            Assert.Equal("value2", mergedDict["key2"].value);
+            Assert.Equal("value3", mergedDict["key3"].value);
         }
 
         [Fact]
@@ -411,8 +411,8 @@ public void MergeExtraQueryParameters_TokenAcquisitionOptionsNull_Test()
             var mergedDict = TokenAcquisition.MergeExtraQueryParameters(mergedOptions, tokenAcquisitionOptions);
 
             // Assert
-            Assert.Equal("value1", mergedDict!["key1"]);
-            Assert.Equal("value2", mergedDict["key2"]);
+            Assert.Equal("value1", mergedDict!["key1"].value);
+            Assert.Equal("value2", mergedDict["key2"].value);
         }
 
         [Fact]