Microsoft.Identity.Abstractions

Microsoft.Identity.Abstractions contain interfaces and POCO classes used in the Microsoft .NET authentication libraries (Microsoft.IdentityModel, MSAL.NET and Microsoft.Identity.Web). It exposes concepts in three domains:

Concepts

Overview of the data classes

the following diagram provides an overview of the data classes exposed by Microsoft.Identity.Abstractions

classDiagram namespace ApplicationOptions { class CredentialDescription { <<ro>> +string Id <<rw>> +CredentialSource SourceType <<rw>> +string KeyVaultUrl <<rw>> +string CertificateStorePath <<rw>> +string CertificateDistinguishedName <<rw>> +string KeyVaultCertificateName <<rw>> +string CertificateThumbprint <<rw>> +string CertificateDiskPath <<rw>> +string CertificatePassword <<rw>> +string Base64EncodedValue <<rw>> +string ClientSecret <<rw>> +string ManagedIdentityClientId <<rw>> +string SignedAssertionFileDiskPath <<rw>> +AuthorizationHeaderProviderOptions DecryptKeysAuthenticationOptions <<rw>> +string TokenExchangeAuthority <<rw>> +X509Certificate2 Certificate <<rw>> +Object CachedValue <<rw>> +bool Skip <<ro>> +CredentialType CredentialType <<rw>> +string TokenExchangeUrl <<rw>> +string CustomSignedAssertionProviderName <<rw>> +Dictionary<string, Object> CustomSignedAssertionProviderData } class CredentialSource { <<enum>> Certificate = 0 KeyVault = 1 Base64Encoded = 2 Path = 3 StoreWithThumbprint = 4 StoreWithDistinguishedName = 5 ClientSecret = 6 SignedAssertionFromManagedIdentity = 7 SignedAssertionFilePath = 8 SignedAssertionFromVault = 9 AutoDecryptKeys = 10 CustomSignedAssertion = 11 } class CredentialType { <<enum>> Certificate = 0 Secret = 1 SignedAssertion = 2 DecryptKeys = 3 } class IdentityApplicationOptions { <<rw>> +string Authority <<rw>> +string ClientId <<rw>> +bool EnablePiiLogging <<rw>> +IDictionary<string, string> ExtraQueryParameters <<rw>> +IEnumerable<CredentialDescription> ClientCredentials <<rw>> +string Audience <<rw>> +IEnumerable<string> Audiences <<rw>> +IEnumerable<CredentialDescription> TokenDecryptionCredentials <<rw>> +bool AllowWebApiToBeAuthorizedByACL } class MicrosoftEntraApplicationOptions { <<rw>> +string Instance <<rw>> +string TenantId <<rw>> +string Authority <<rw>> +string AppHomeTenantId <<rw>> +string AzureRegion <<rw>> +IEnumerable<string> ClientCapabilities <<rw>> +bool SendX5C } class MicrosoftIdentityApplicationOptions { <<rw>> +bool WithSpaAuthCode <<rw>> +string Domain <<rw>> +string EditProfilePolicyId <<rw>> +string SignUpSignInPolicyId <<rw>> +string ResetPasswordPolicyId <<ro>> +string DefaultUserFlow <<rw>> +string ResetPasswordPath <<rw>> +string ErrorPath } } namespace TokenAcquisition { class AcquireTokenOptions { +AcquireTokenOptions Clone() <<rw>> +string AuthenticationOptionsName <<rw>> +Nullable<Guid> CorrelationId <<rw>> +IDictionary<string, string> ExtraQueryParameters <<rw>> +IDictionary<string, Object> ExtraParameters <<rw>> +IDictionary<string, string> ExtraHeadersParameters <<rw>> +string Claims <<rw>> +string FmiPath <<rw>> +bool ForceRefresh <<rw>> +string PopPublicKey <<rw>> +string PopClaim <<rw>> +ManagedIdentityOptions ManagedIdentity <<rw>> +string LongRunningWebApiSessionKey <<ro>> +string LongRunningWebApiSessionKeyAuto <<rw>> +string Tenant <<rw>> +string UserFlow } class AcquireTokenResult { <<rw>> +string AccessToken <<rw>> +DateTimeOffset ExpiresOn <<rw>> +string TenantId <<rw>> +string IdToken <<rw>> +IEnumerable<string> Scopes <<rw>> +Guid CorrelationId <<rw>> +string TokenType } class ITokenAcquirer { <<interface>> +Task<AcquireTokenResult> GetTokenForUserAsync(IEnumerable<string> scopes, AcquireTokenOptions tokenAcquisitionOptions, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<AcquireTokenResult> GetTokenForAppAsync(string scope, AcquireTokenOptions tokenAcquisitionOptions, CancellationToken cancellationToken) } class ITokenAcquirerFactory { <<interface>> +ITokenAcquirer GetTokenAcquirer(IdentityApplicationOptions identityApplicationOptions) +ITokenAcquirer GetTokenAcquirer(string optionName) } class ManagedIdentityOptions { +ManagedIdentityOptions Clone() <<rw>> +string UserAssignedClientId } } namespace DownstreamApis { class AuthorizationHeaderProviderOptions { +AuthorizationHeaderProviderOptions Clone() #AuthorizationHeaderProviderOptions CloneInternal() +string GetApiUrl() <<rw>> +string BaseUrl <<rw>> +string RelativePath <<rw>> +string HttpMethod <<rw>> +Action<HttpRequestMessage> CustomizeHttpRequestMessage <<rw>> +AcquireTokenOptions AcquireTokenOptions <<rw>> +string ProtocolScheme <<rw>> +bool RequestAppToken } class DownstreamApiOptions { +DownstreamApiOptions Clone() #AuthorizationHeaderProviderOptions CloneInternal() <<rw>> +IEnumerable<string> Scopes <<rw>> +Func<Object, HttpContent> Serializer <<rw>> +Func<HttpContent, Object> Deserializer <<rw>> +string AcceptHeader <<rw>> +string ContentType } class DownstreamApiOptionsReadOnlyHttpMethod { +DownstreamApiOptionsReadOnlyHttpMethod Clone() #AuthorizationHeaderProviderOptions CloneInternal() <<rw>> +string HttpMethod } } IdentityApplicationOptions <|-- MicrosoftEntraApplicationOptions : Inherits MicrosoftEntraApplicationOptions <|-- MicrosoftIdentityApplicationOptions : Inherits AuthorizationHeaderProviderOptions <|-- DownstreamApiOptions : Inherits DownstreamApiOptions <|-- DownstreamApiOptionsReadOnlyHttpMethod : Inherits CredentialDescription *-- "SourceType" CredentialSource : Has CredentialDescription --> "DecryptKeysAuthenticationOptions" AuthorizationHeaderProviderOptions : Has CredentialDescription *-- "CredentialType" CredentialType : Has IdentityApplicationOptions --> "ClientCredentials" CredentialDescription : Has many IdentityApplicationOptions --> "TokenDecryptionCredentials" CredentialDescription : Has many AuthorizationHeaderProviderOptions --> "AcquireTokenOptions" AcquireTokenOptions : Has AcquireTokenOptions --> "ManagedIdentity" ManagedIdentityOptions : Has ITokenAcquirerFactory --> ITokenAcquirer : produces ITokenAcquirer --> AcquireTokenOptions : parametrized by AcquireTokenOptions --> "ManagedIdentity" ManagedIdentityOptions : Has ITokenAcquirer --> AcquireTokenResult : returns

Application options and credentials

The application options are typically the options that you find in configuration files like the appsettings.json file. They describe the authentication aspects of your application. The library offers two layer. A standard layer, and a Microsoft Identity platform specialization.

classDiagram class CredentialDescription { <<ro>> +string Id <<rw>> +CredentialSource SourceType <<rw>> +string KeyVaultUrl <<rw>> +string CertificateStorePath <<rw>> +string CertificateDistinguishedName <<rw>> +string KeyVaultCertificateName <<rw>> +string CertificateThumbprint <<rw>> +string CertificateDiskPath <<rw>> +string CertificatePassword <<rw>> +string Base64EncodedValue <<rw>> +string ClientSecret <<rw>> +string ManagedIdentityClientId <<rw>> +string SignedAssertionFileDiskPath <<rw>> +AuthorizationHeaderProviderOptions DecryptKeysAuthenticationOptions <<rw>> +string TokenExchangeAuthority <<rw>> +X509Certificate2 Certificate <<rw>> +Object CachedValue <<rw>> +bool Skip <<ro>> +CredentialType CredentialType <<rw>> +string TokenExchangeUrl <<rw>> +string CustomSignedAssertionProviderName <<rw>> +Dictionary<string, Object> CustomSignedAssertionProviderData } class CredentialSource { <<enum>> Certificate = 0 KeyVault = 1 Base64Encoded = 2 Path = 3 StoreWithThumbprint = 4 StoreWithDistinguishedName = 5 ClientSecret = 6 SignedAssertionFromManagedIdentity = 7 SignedAssertionFilePath = 8 SignedAssertionFromVault = 9 AutoDecryptKeys = 10 CustomSignedAssertion = 11 } class CredentialType { <<enum>> Certificate = 0 Secret = 1 SignedAssertion = 2 DecryptKeys = 3 } class IdentityApplicationOptions { <<rw>> +string Authority <<rw>> +string ClientId <<rw>> +bool EnablePiiLogging <<rw>> +IDictionary<string, string> ExtraQueryParameters <<rw>> +IEnumerable<CredentialDescription> ClientCredentials <<rw>> +string Audience <<rw>> +IEnumerable<string> Audiences <<rw>> +IEnumerable<CredentialDescription> TokenDecryptionCredentials <<rw>> +bool AllowWebApiToBeAuthorizedByACL } class MicrosoftEntraApplicationOptions { <<rw>> +string Instance <<rw>> +string TenantId <<rw>> +string Authority <<rw>> +string AppHomeTenantId <<rw>> +string AzureRegion <<rw>> +IEnumerable<string> ClientCapabilities <<rw>> +bool SendX5C } class MicrosoftIdentityApplicationOptions { <<rw>> +bool WithSpaAuthCode <<rw>> +string Domain <<rw>> +string EditProfilePolicyId <<rw>> +string SignUpSignInPolicyId <<rw>> +string ResetPasswordPolicyId <<ro>> +string DefaultUserFlow <<rw>> +string ResetPasswordPath <<rw>> +string ErrorPath } IdentityApplicationOptions <|-- MicrosoftEntraApplicationOptions : Inherits MicrosoftEntraApplicationOptions <|-- MicrosoftIdentityApplicationOptions : Inherits CredentialDescription *-- "SourceType" CredentialSource : Has CredentialDescription --> "DecryptKeysAuthenticationOptions" AuthorizationHeaderProviderOptions : Has note for AuthorizationHeaderProviderOptions "see below" CredentialDescription *-- "CredentialType" CredentialType : Has IdentityApplicationOptions --> "ClientCredentials" CredentialDescription : Has many IdentityApplicationOptions --> "TokenDecryptionCredentials" CredentialDescription : Has many

Credential loaders

An important part of the application options are the credentials. In addition to the credential descriptions, the library offers extensibility mechanisms so that implementers can add their own credential source loaders.

classDiagram class CredentialSourceLoaderParameters { <<rw>> +string ClientId <<rw>> +string Authority } class ICredentialsLoader { <<interface>> +Task LoadCredentialsIfNeededAsync(CredentialDescription credentialDescription, CredentialSourceLoaderParameters parameters) +Task<CredentialDescription> LoadFirstValidCredentialsAsync(IEnumerable<CredentialDescription> credentialDescriptions, CredentialSourceLoaderParameters parameters) +Void ResetCredentials(IEnumerable<CredentialDescription> credentialDescriptions) <<ro>> +IDictionary<CredentialSource, ICredentialSourceLoader> CredentialSourceLoaders } class ICredentialSourceLoader { <<interface>> +Task LoadIfNeededAsync(CredentialDescription credentialDescription, CredentialSourceLoaderParameters parameters) <<ro>> +CredentialSource CredentialSource } class ICustomSignedAssertionProvider { <<interface>> <<ro>> +string Name } ICredentialSourceLoader <|-- ICustomSignedAssertionProvider : Inherits ICredentialSourceLoader *-- "CredentialSource" CredentialSource : Has ICredentialsLoader --> ICredentialSourceLoader : Loads ICredentialSourceLoader --> CredentialSourceLoaderParameters : Uses note for CredentialSource "see above"

There can be several application options with different names (for instance in ASP.NET Core these would be different authentication schemes)

Token acquisition

Once configured, an application can acquire tokens from the Identity provider. This is a low level API, in the sense that you would probably prefer to call downstream web APIs without having to be preoccupied about the authentication aspects. If you really want to use the lower level API, you should:

get hold of a ITokenAcquirerFactory. Implementations can provide a TokenAcquirerFactory for instance, with a singleton.
get a ITokenAcquirer (by its name, for instance). This corresponds to the application options
From the token acquirer get a token for on behalf of the user, or the app. If you don't specify any AcquireTokenOptions, the implementation should do its best effort. The AcquireTokenOptions enable you to override the defaults.

classDiagram class AcquireTokenOptions { +AcquireTokenOptions Clone() <<rw>> +string AuthenticationOptionsName <<rw>> +Nullable<Guid> CorrelationId <<rw>> +IDictionary<string, string> ExtraQueryParameters <<rw>> +IDictionary<string, Object> ExtraParameters <<rw>> +IDictionary<string, string> ExtraHeadersParameters <<rw>> +string Claims <<rw>> +string FmiPath <<rw>> +bool ForceRefresh <<rw>> +string PopPublicKey <<rw>> +string PopClaim <<rw>> +ManagedIdentityOptions ManagedIdentity <<rw>> +string LongRunningWebApiSessionKey <<ro>> +string LongRunningWebApiSessionKeyAuto <<rw>> +string Tenant <<rw>> +string UserFlow } class AcquireTokenResult { <<rw>> +string AccessToken <<rw>> +DateTimeOffset ExpiresOn <<rw>> +string TenantId <<rw>> +string IdToken <<rw>> +IEnumerable<string> Scopes <<rw>> +Guid CorrelationId <<rw>> +string TokenType } class ITokenAcquirer { <<interface>> +Task<AcquireTokenResult> GetTokenForUserAsync(IEnumerable<string> scopes, AcquireTokenOptions tokenAcquisitionOptions, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<AcquireTokenResult> GetTokenForAppAsync(string scope, AcquireTokenOptions tokenAcquisitionOptions, CancellationToken cancellationToken) } class ITokenAcquirerFactory { <<interface>> +ITokenAcquirer GetTokenAcquirer(IdentityApplicationOptions identityApplicationOptions) +ITokenAcquirer GetTokenAcquirer(string optionName) } class ManagedIdentityOptions { +ManagedIdentityOptions Clone() <<rw>> +string UserAssignedClientId } ITokenAcquirerFactory ..> ITokenAcquirer : produces ITokenAcquirer --> AcquireTokenOptions : parametrized by AcquireTokenOptions --> "ManagedIdentity" ManagedIdentityOptions : Has ITokenAcquirer ..> AcquireTokenResult : returns

Call downstream APIs

It's also possible (and recommended) to use higher level APIs:

IDownstreamApi enables you to call a downstream web API and let the implementation handle the serialization of the input parameter (if any), handling the getting the authorization header and attaching it to the HttpClient, call the downstream web API, handle errors, deserialize the answer and return it as a strongly typed object. You can use customize all these steps, for instance by providing your own serializer / deserializer.
IAuthorizationHeaderProvider is the component that provides the authorization header, delegating to the ITokenAcquirer. Whereas ITokenAcquirer only knows about tokens, IAuthorizationHeaderProvider knows about protocols (for instance bearer, Pop, etc ...)

classDiagram class AuthorizationHeaderProviderOptions { +AuthorizationHeaderProviderOptions Clone() #AuthorizationHeaderProviderOptions CloneInternal() +string GetApiUrl() <<rw>> +string BaseUrl <<rw>> +string RelativePath <<rw>> +string HttpMethod <<rw>> +Action<HttpRequestMessage> CustomizeHttpRequestMessage <<rw>> +AcquireTokenOptions AcquireTokenOptions <<rw>> +string ProtocolScheme <<rw>> +bool RequestAppToken } class DownstreamApiOptions { +DownstreamApiOptions Clone() #AuthorizationHeaderProviderOptions CloneInternal() <<rw>> +IEnumerable<string> Scopes <<rw>> +Func<Object, HttpContent> Serializer <<rw>> +Func<HttpContent, Object> Deserializer <<rw>> +string AcceptHeader <<rw>> +string ContentType } class DownstreamApiOptionsReadOnlyHttpMethod { +DownstreamApiOptionsReadOnlyHttpMethod Clone() #AuthorizationHeaderProviderOptions CloneInternal() <<rw>> +string HttpMethod } class IAuthorizationHeaderProvider { <<interface>> +Task<string> CreateAuthorizationHeaderForUserAsync(IEnumerable<string> scopes, AuthorizationHeaderProviderOptions authorizationHeaderProviderOptions, ClaimsPrincipal claimsPrincipal, CancellationToken cancellationToken) +Task<string> CreateAuthorizationHeaderForAppAsync(string scopes, AuthorizationHeaderProviderOptions downstreamApiOptions, CancellationToken cancellationToken) +Task<string> CreateAuthorizationHeaderAsync(IEnumerable<string> scopes, AuthorizationHeaderProviderOptions options, ClaimsPrincipal claimsPrincipal, CancellationToken cancellationToken) } class IDownstreamApi { <<interface>> +Task<HttpResponseMessage> CallApiAsync(DownstreamApiOptions downstreamApiOptions, ClaimsPrincipal user, HttpContent content, CancellationToken cancellationToken) +Task<HttpResponseMessage> CallApiAsync(string serviceName, Action<DownstreamApiOptions> downstreamApiOptionsOverride, ClaimsPrincipal user, HttpContent content, CancellationToken cancellationToken) +Task<HttpResponseMessage> CallApiForUserAsync(string serviceName, Action<DownstreamApiOptions> downstreamApiOptionsOverride, ClaimsPrincipal user, HttpContent content, CancellationToken cancellationToken) +Task<HttpResponseMessage> CallApiForAppAsync(string serviceName, Action<DownstreamApiOptions> downstreamApiOptionsOverride, HttpContent content, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> CallApiForUserAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptions> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> CallApiForUserAsync(string serviceName, Action<DownstreamApiOptions> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> CallApiForAppAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptions> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> CallApiForAppAsync(string serviceName, Action<DownstreamApiOptions> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> CallApiForUserAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, JsonTypeInfo<IDownstreamApi.TOutput> outputJsonTypeInfo, Action<DownstreamApiOptions> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> CallApiForUserAsync(string serviceName, JsonTypeInfo<IDownstreamApi.TOutput> outputJsonTypeInfo, Action<DownstreamApiOptions> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> CallApiForAppAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, JsonTypeInfo<IDownstreamApi.TOutput> outputJsonTypeInfo, Action<DownstreamApiOptions> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> CallApiForAppAsync(string serviceName, JsonTypeInfo<IDownstreamApi.TOutput> outputJsonTypeInfo, Action<DownstreamApiOptions> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> GetForUserAsync(string serviceName, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> GetForUserAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> GetForAppAsync(string serviceName, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> GetForAppAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task PostForUserAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> PostForUserAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task PostForAppAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> PostForAppAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task PutForUserAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> PutForUserAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task PutForAppAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> PutForAppAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task PatchForUserAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> PatchForUserAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task PatchForAppAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> PatchForAppAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task DeleteForUserAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> DeleteForUserAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task DeleteForAppAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> DeleteForAppAsync(string serviceName, IDownstreamApi.TInput input, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> GetForUserAsync(string serviceName, JsonTypeInfo<IDownstreamApi.TOutput> outputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> GetForUserAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, JsonTypeInfo<IDownstreamApi.TOutput> outputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> GetForAppAsync(string serviceName, JsonTypeInfo<IDownstreamApi.TOutput> outputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> GetForAppAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, JsonTypeInfo<IDownstreamApi.TOutput> outputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task PostForUserAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> PostForUserAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, JsonTypeInfo<IDownstreamApi.TOutput> outputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task PostForAppAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> PostForAppAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, JsonTypeInfo<IDownstreamApi.TOutput> outputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task PutForUserAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> PutForUserAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, JsonTypeInfo<IDownstreamApi.TOutput> outputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task PutForAppAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> PutForAppAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, JsonTypeInfo<IDownstreamApi.TOutput> outputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task PatchForUserAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> PatchForUserAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, JsonTypeInfo<IDownstreamApi.TOutput> outputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task PatchForAppAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> PatchForAppAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, JsonTypeInfo<IDownstreamApi.TOutput> outputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task DeleteForUserAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> DeleteForUserAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, JsonTypeInfo<IDownstreamApi.TOutput> outputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, ClaimsPrincipal user, CancellationToken cancellationToken) +Task DeleteForAppAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) +Task<IDownstreamApi.TOutput> DeleteForAppAsync(string serviceName, IDownstreamApi.TInput input, JsonTypeInfo<IDownstreamApi.TInput> inputJsonTypeInfo, JsonTypeInfo<IDownstreamApi.TOutput> outputJsonTypeInfo, Action<DownstreamApiOptionsReadOnlyHttpMethod> downstreamApiOptionsOverride, CancellationToken cancellationToken) } AuthorizationHeaderProviderOptions <|-- DownstreamApiOptions : Inherits DownstreamApiOptions <|-- DownstreamApiOptionsReadOnlyHttpMethod : Inherits CredentialDescription --> "DecryptKeysAuthenticationOptions" AuthorizationHeaderProviderOptions : Has AuthorizationHeaderProviderOptions --> "AcquireTokenOptions" AcquireTokenOptions : Has AcquireTokenOptions --> "ManagedIdentity" ManagedIdentityOptions : Has IDownstreamApi ..> DownstreamApiOptions : Uses IAuthorizationHeaderProvider ..> AuthorizationHeaderProviderOptions : Uses

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

Showing the top 20 packages that depend on Microsoft.Identity.Abstractions.

Packages	Downloads
Microsoft.Identity.Web.Certificate This package brings certificate management for MSAL.NET.	8
Microsoft.Identity.Web.Certificate This package brings certificate management for MSAL.NET.	16
Microsoft.Identity.Web.TokenAcquisition Implementation for higher level API for confidential client applications (ASP.NET Core and SDK/.NET).	6
Microsoft.Identity.Web.TokenAcquisition Implementation for higher level API for confidential client applications (ASP.NET Core and SDK/.NET).	7
Microsoft.Identity.Web.TokenAcquisition Implementation for higher level API for confidential client applications (ASP.NET Core and SDK/.NET).	8
Microsoft.Identity.Web.TokenAcquisition Implementation for higher level API for confidential client applications (ASP.NET Core and SDK/.NET).	11
Microsoft.Identity.Web.TokenAcquisition Implementation for higher level API for confidential client applications (ASP.NET Core and SDK/.NET).	19

The release notes are available at https://github.com/AzureAD/microsoft-identity-abstractions-for-dotnet/releases and the roadmap at https://github.com/AzureAD/microsoft-identity-abstractions-for-dotnet/wiki#roadmap

.NET Framework 4.6.2

No dependencies.

.NET 8.0

No dependencies.

.NET Standard 2.0

No dependencies.

.NET Standard 2.1

No dependencies.

Version	Downloads	Last updated
9.0.0	2	04/17/2025
8.2.0	4	02/18/2025
8.1.1	4	02/18/2025
8.1.0	5	02/18/2025
8.0.0	4	01/31/2025
7.2.1	4	01/31/2025
7.2.0	5	01/18/2025
7.1.0	5	01/19/2025
7.0.0	6	01/19/2025
6.0.0	5	01/30/2025
5.3.0	8	05/22/2024
5.2.0	8	05/29/2024
5.1.0	20	02/01/2024
5.0.0	13	01/03/2024
4.1.0	8	03/06/2024
4.0.0	8	03/06/2024
3.2.1	8	03/06/2024
3.2.0	8	03/06/2024
3.1.0	7	03/06/2024
3.0.1	8	03/08/2024
3.0.0	8	03/06/2024
2.1.0	7	03/06/2024
2.0.1	7	03/06/2024
2.0.0	7	03/19/2024
1.2.0	7	03/06/2024
1.1.0	8	03/09/2024
1.0.6-preview	6	03/02/2024
1.0.5-preview	6	03/02/2024
1.0.4-preview	6	03/10/2024
1.0.3-preview	4	01/19/2025
1.0.2-preview	5	03/10/2024
1.0.1-preview	7	03/10/2024
1.0.0-preview	5	03/10/2024

Microsoft.Identity.Abstractions 9.0.0

Readme