Skip to content

Deprecate ROPC flow #5355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 14 commits into from
Jul 1, 2025
Merged

Deprecate ROPC flow #5355

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
d39a4e0
deprecate ropc api
Ugonnaak1 Jun 18, 2025
a7681ce
add pragma tag in tests and sample apps
Ugonnaak1 Jun 19, 2025
6cc1d1b
add aka.ms link and remove confidential flow deprecation
Ugonnaak1 Jun 19, 2025
8d50314
Merge branch 'main' into akaliugonna/deprecateRoPC
Ugonnaak1 Jun 20, 2025
75a1587
remove imports
Ugonnaak1 Jun 23, 2025
f98555a
Merge branch 'akaliugonna/deprecateRoPC' of https://github.com/AzureA…
Ugonnaak1 Jun 23, 2025
1b894b7
Merge branch 'main' into akaliugonna/deprecateRoPC
Ugonnaak1 Jun 25, 2025
9bf7844
add pragma to missed test
Ugonnaak1 Jun 26, 2025
011d482
Merge branch 'akaliugonna/deprecateRoPC' of https://github.com/AzureA…
Ugonnaak1 Jun 26, 2025
6d69107
Merge branch 'main' into akaliugonna/deprecateRoPC
Ugonnaak1 Jun 26, 2025
d933d6c
Merge branch 'main' into akaliugonna/deprecateRoPC
Ugonnaak1 Jun 27, 2025
18d49c5
remove please and extra line
Ugonnaak1 Jun 28, 2025
76a1626
Merge branch 'akaliugonna/deprecateRoPC' of https://github.com/AzureA…
Ugonnaak1 Jun 28, 2025
788489d
Merge branch 'main' into akaliugonna/deprecateRoPC
Ugonnaak1 Jul 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions src/client/Microsoft.Identity.Client.Broker/RuntimeBroker.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
using System.Globalization;
using System.Linq;
using System.Diagnostics;
using System.ComponentModel;
using System.Runtime.InteropServices;
using System.Threading.Tasks;
using Microsoft.Identity.Client.ApiConfig.Parameters;
Expand Down Expand Up @@ -456,6 +457,8 @@ public async Task<MsalTokenResponse> AcquireTokenSilentDefaultUserAsync(
return msalTokenResponse;
}

[Obsolete("This API has been deprecated, please use a more secure flow. See https://aka.ms/msal-ropc-migration for migration guidance", false)]
[EditorBrowsable(EditorBrowsableState.Never)] // deprecated, this API is no longer supported
public async Task<MsalTokenResponse> AcquireTokenByUsernamePasswordAsync(
AuthenticationRequestParameters authenticationRequestParameters,
AcquireTokenByUsernamePasswordParameters acquireTokenByUsernamePasswordParameters)
Expand All @@ -476,7 +479,8 @@ public async Task<MsalTokenResponse> AcquireTokenByUsernamePasswordAsync(
authParams.Properties["MSALRuntime_Username"] = acquireTokenByUsernamePasswordParameters.Username;
authParams.Properties["MSALRuntime_Password"] = acquireTokenByUsernamePasswordParameters.Password;
// For Linux broker, use the interactive flow with username password to get the token
if (Environment.GetEnvironmentVariable("TF_BUILD") != null && DesktopOsHelper.IsLinux()) {
if (Environment.GetEnvironmentVariable("TF_BUILD") != null && DesktopOsHelper.IsLinux())
{
using (NativeInterop.AuthResult result = await s_lazyCore.Value.SignInInteractivelyAsync(
XOpenDisplay(":1"),
authParams,
Expand All @@ -487,7 +491,9 @@ public async Task<MsalTokenResponse> AcquireTokenByUsernamePasswordAsync(
var errorMessage = "Could not acquire token with username and password.";
msalTokenResponse = WamAdapters.HandleResponse(result, authenticationRequestParameters, _logger, errorMessage);
}
} else {
}
else
{
using (NativeInterop.AuthResult result = await s_lazyCore.Value.SignInSilentlyAsync(
authParams,
authenticationRequestParameters.CorrelationId.ToString("D"),
Expand All @@ -497,7 +503,7 @@ public async Task<MsalTokenResponse> AcquireTokenByUsernamePasswordAsync(
msalTokenResponse = WamAdapters.HandleResponse(result, authenticationRequestParameters, _logger, errorMessage);
}
}

}

return msalTokenResponse;
Expand Down
6 changes: 4 additions & 2 deletions src/client/Microsoft.Identity.Client/IPublicClientApplication.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,8 +113,8 @@ AcquireTokenByIntegratedWindowsAuthParameterBuilder AcquireTokenByIntegratedWind
/// Available only for .NET Framework and .NET Core applications. See <see href="https://aka.ms/msal-net-up">our documentation</see> for details.
/// .NET no longer recommends using SecureString and MSAL puts the plaintext value of the password on the wire, as required by the OAuth protocol. See <see href="https://docs.microsoft.com/dotnet/api/system.security.securestring?view=net-6.0#remarks">SecureString documentation</see> for details.
/// </remarks>
[Obsolete("Using SecureString is not recommended. Use AcquireTokenByUsernamePassword(IEnumerable<string> scopes, string username, string password) instead.", false)]
[EditorBrowsable(EditorBrowsableState.Never)]
[Obsolete("This API has been deprecated, please use a more secure flow. See https://aka.ms/msal-ropc-migration for migration guidance", false)]
[EditorBrowsable(EditorBrowsableState.Never)] // deprecated, this API is no longer supported
AcquireTokenByUsernamePasswordParameterBuilder AcquireTokenByUsernamePassword(
IEnumerable<string> scopes,
string username,
Expand All @@ -133,6 +133,8 @@ AcquireTokenByUsernamePasswordParameterBuilder AcquireTokenByUsernamePassword(
/// <remarks>
/// Available only for .NET Framework and .NET Core applications. See <see href="https://aka.ms/msal-net-up">our documentation</see> for details.
/// </remarks>
[Obsolete("This API has been deprecated, please use a more secure flow. See https://aka.ms/msal-ropc-migration for migration guidance", false)]
[EditorBrowsable(EditorBrowsableState.Never)] // deprecated, this API is no longer supported
AcquireTokenByUsernamePasswordParameterBuilder AcquireTokenByUsernamePassword(
IEnumerable<string> scopes,
string username,
Expand Down
4 changes: 4 additions & 0 deletions src/client/Microsoft.Identity.Client/Internal/Broker/IBroker.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,9 @@
using Microsoft.Identity.Client.Instance.Discovery;
using Microsoft.Identity.Client.Internal.Requests;
using Microsoft.Identity.Client.OAuth2;
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Threading.Tasks;

namespace Microsoft.Identity.Client.Internal.Broker
Expand All @@ -27,6 +29,8 @@ Task<MsalTokenResponse> AcquireTokenSilentDefaultUserAsync(
AuthenticationRequestParameters authenticationRequestParameters,
AcquireTokenSilentParameters acquireTokenSilentParameters);

[Obsolete("This API has been deprecated, please use a more secure flow. See https://aka.ms/msal-ropc-migration for migration guidance", false)]
[EditorBrowsable(EditorBrowsableState.Never)] // deprecated, this API is no longer supported
Task<MsalTokenResponse> AcquireTokenByUsernamePasswordAsync(
AuthenticationRequestParameters authenticationRequestParameters,
AcquireTokenByUsernamePasswordParameters acquireTokenByUsernamePasswordParameters);
Expand Down
3 changes: 2 additions & 1 deletion src/client/Microsoft.Identity.Client/Internal/Requests/UsernamePasswordRequest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,11 +76,12 @@ private async Task<MsalTokenResponse> GetTokenResponseAsync(CancellationToken ca
{
_logger.Info(LogMessages.CanInvokeBrokerAcquireTokenWithBroker);

#pragma warning disable CS0618 // Type or member is obsolete
MsalTokenResponse brokerTokenResponse = await broker.AcquireTokenByUsernamePasswordAsync(
_requestParameters,
_usernamePasswordParameters)
.ConfigureAwait(false);

#pragma warning restore CS0618
if (brokerTokenResponse != null)
{
_logger.Info("Broker attempt completed successfully. ");
Expand Down
6 changes: 4 additions & 2 deletions src/client/Microsoft.Identity.Client/PublicClientApplication.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,8 +139,8 @@ public AcquireTokenByIntegratedWindowsAuthParameterBuilder AcquireTokenByIntegra
}

/// <inheritdoc/>
[Obsolete("Using SecureString is not recommended. Use AcquireTokenByUsernamePassword(IEnumerable<string> scopes, string username, string password) instead.", false)]
[EditorBrowsable(EditorBrowsableState.Never)]
[Obsolete("This API has been deprecated, please use a more secure flow. See https://aka.ms/msal-ropc-migration for migration guidance", false)]
[EditorBrowsable(EditorBrowsableState.Never)] // deprecated, this API is no longer supported
public AcquireTokenByUsernamePasswordParameterBuilder AcquireTokenByUsernamePassword(
IEnumerable<string> scopes,
string username,
Expand All @@ -154,6 +154,8 @@ public AcquireTokenByUsernamePasswordParameterBuilder AcquireTokenByUsernamePass
}

/// <inheritdoc/>
[Obsolete("This API has been deprecated, please use a more secure flow. See https://aka.ms/msal-ropc-migration for migration guidance", false)]
[EditorBrowsable(EditorBrowsableState.Never)] // deprecated, this API is no longer supported
public AcquireTokenByUsernamePasswordParameterBuilder AcquireTokenByUsernamePassword(
IEnumerable<string> scopes,
string username,
Expand Down
2 changes: 2 additions & 0 deletions tests/CacheCompat/CommonCache.Test.MsalV3/Program.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,10 +67,12 @@ protected override async Task<IEnumerable<CacheExecutorAccountResult>> InternalE
}
catch (MsalUiRequiredException)
{
#pragma warning disable CS0618 // Type or memeber is obsolete
var result = await app
.AcquireTokenByUsernamePassword(scopes, labUserData.Upn, labUserData.Password)
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
#pragma warning restore CS0618

if (string.IsNullOrWhiteSpace(result.AccessToken))
{
Expand Down
2 changes: 2 additions & 0 deletions ...ft.Identity.Test.Integration.netcore/HeadlessTests/B2CUsernamePasswordIntegrationTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,10 +43,12 @@ public async Task ROPC_B2C_Async()
.WithTestLogging()
.Build();

#pragma warning disable CS0618 // Type or member is obsolete
AuthenticationResult authResult = await msalPublicClient
.AcquireTokenByUsernamePassword(s_b2cScopes, user.Upn, user.GetOrFetchPassword())
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
#pragma warning restore CS0618

Assert.IsNotNull(authResult);
Assert.AreEqual(TokenSource.IdentityProvider, authResult.AuthenticationResultMetadata.TokenSource);
Expand Down
4 changes: 4 additions & 0 deletions tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/CiamIntegrationTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,10 +60,12 @@ private async Task RunCiamRopcTest(string authority, LabResponse labResponse)
.WithRedirectUri(_ciamRedirectUri)
.Build();

#pragma warning disable CS0618 // Type or member is obsolete
var result = await msalPublicClient
.AcquireTokenByUsernamePassword(_ciamScopes, labResponse.User.Upn, labResponse.User.GetOrFetchPassword())
.ExecuteAsync()
.ConfigureAwait(false);
#pragma warning restore CS0618

Assert.IsNotNull(result.AccessToken);
Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);
Expand Down Expand Up @@ -170,10 +172,12 @@ public async Task OBOCiam_CustomDomain_ReturnsValidTokens()
.WithRedirectUri(labResponse.App.RedirectUri)
.Build();

#pragma warning disable CS0618 // Type or member is obsolete
var result = await msalPublicClient
.AcquireTokenByUsernamePassword(new[] { labResponse.App.DefaultScopes }, labResponse.User.Upn, labResponse.User.GetOrFetchPassword())
.ExecuteAsync()
.ConfigureAwait(false);
#pragma warning restore CS0618

Assert.IsNotNull(result.AccessToken);
Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);
Expand Down
2 changes: 2 additions & 0 deletions ...icrosoft.Identity.Test.Integration.netcore/HeadlessTests/ClientCredentialsTests.NetFwk.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -223,10 +223,12 @@ public async Task ByRefreshTokenTestAsync()
.WithAuthority(labResponse.Lab.Authority, "organizations")
.BuildConcrete();

#pragma warning disable CS0618 // Type or member is obsolete
AuthenticationResult authResult = await msalPublicClient
.AcquireTokenByUsernamePassword(s_scopes, labResponse.User.Upn, labResponse.User.GetOrFetchPassword())
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
#pragma warning restore CS0618

var confidentialApp = ConfidentialClientApplicationBuilder
.Create(labResponse.App.AppId)
Expand Down
6 changes: 6 additions & 0 deletions ...soft.Identity.Test.Integration.netcore/HeadlessTests/InstanceDiscoveryIntegrationTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ public async Task AuthorityMigrationAsync()

Trace.WriteLine("Acquire a token using a not so common authority alias");

#pragma warning disable CS0618 // Type or member is obsolete
AuthenticationResult authResult = await pca.AcquireTokenByUsernamePassword(
s_scopes,
user.Upn,
Expand All @@ -51,6 +52,7 @@ public async Task AuthorityMigrationAsync()
.WithTenantId(labResponse.Lab.TenantId)
.ExecuteAsync()
.ConfigureAwait(false);
#pragma warning restore CS0618

Assert.IsNotNull(authResult.AccessToken);

Expand Down Expand Up @@ -78,13 +80,15 @@ public async Task FailedAuthorityValidationTestAsync()

Trace.WriteLine("Acquire a token using a not so common authority alias");

#pragma warning disable CS0618 // Type or member is obsolete
MsalServiceException exception = await AssertException.TaskThrowsAsync<MsalServiceException>(() =>
pca.AcquireTokenByUsernamePassword(
s_scopes,
user.Upn,
user.GetOrFetchPassword())
.ExecuteAsync())
.ConfigureAwait(false);
#pragma warning restore CS0618

Assert.IsTrue(exception.Message.Contains("AADSTS50049"));
Assert.AreEqual("invalid_instance", exception.ErrorCode);
Expand All @@ -104,13 +108,15 @@ public async Task AuthorityValidationTestWithFalseValidateAuthorityAsync()

Trace.WriteLine("Acquire a token using a not so common authority alias");

#pragma warning disable CS0618 // Type or member is obsolete
_ = await AssertException.TaskThrowsAsync<HttpRequestException>(() =>
pca.AcquireTokenByUsernamePassword(
s_scopes,
user.Upn,
user.GetOrFetchPassword())
.ExecuteAsync())
.ConfigureAwait(false);
#pragma warning restore CS0618
}

/// <summary>
Expand Down
12 changes: 12 additions & 0 deletions ...s/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/LongRunningOnBehalfOfTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,10 +58,12 @@ public async Task LongRunningAndNormalObo_WithDifferentKeys_TestAsync()
.WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
.Build();

#pragma warning disable CS0618 // Type or member is obsolete
var userAuthResult = await pca
.AcquireTokenByUsernamePassword(s_oboServiceScope, user1.Upn, user1.GetOrFetchPassword())
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
#pragma warning restore CS0618

var cca = BuildCCA(userAuthResult.TenantId);

Expand Down Expand Up @@ -108,10 +110,12 @@ public async Task LongRunningThenNormalObo_WithTheSameKey_TestAsync()
.WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
.Build();

#pragma warning disable CS0618 // Type or member is obsolete
var userAuthResult = await pca
.AcquireTokenByUsernamePassword(s_oboServiceScope, user1.Upn, user1.GetOrFetchPassword())
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
#pragma warning restore CS0618

var cca = BuildCCA(userAuthResult.TenantId);

Expand Down Expand Up @@ -180,10 +184,12 @@ public async Task InitiateLRWithCustomKey_ThenAcquireLRWithSameKey_Succeeds_Test
.Build();

// Acquire a token for the user via user name/password
#pragma warning disable CS0618 // Type or member is obsolete
AuthenticationResult userAuthResult = await pca
.AcquireTokenByUsernamePassword(s_oboServiceScope, user1.Upn, user1.GetOrFetchPassword())
.ExecuteAsync()
.ConfigureAwait(false);
#pragma warning restore CS0618

// Build the ConfidentialClient for OBO
ConfidentialClientApplication cca = BuildCCA(userAuthResult.TenantId);
Expand Down Expand Up @@ -248,10 +254,12 @@ public async Task NormalOboThenLongRunningAcquire_WithTheSameKey_TestAsync()
.WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
.Build();

#pragma warning disable CS0618 // Type or member is obsolete
var userAuthResult = await pca
.AcquireTokenByUsernamePassword(s_oboServiceScope, user1.Upn, user1.GetOrFetchPassword())
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
#pragma warning restore CS0618

var cca = BuildCCA(userAuthResult.TenantId);

Expand Down Expand Up @@ -317,10 +325,12 @@ public async Task NormalOboThenLongRunningInitiate_WithTheSameKey_TestAsync()
.WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
.Build();

#pragma warning disable CS0618 // Type or member is obsolete
var userAuthResult = await pca
.AcquireTokenByUsernamePassword(s_oboServiceScope, user1.Upn, user1.GetOrFetchPassword())
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
#pragma warning restore CS0618

var cca = BuildCCA(userAuthResult.TenantId);

Expand Down Expand Up @@ -373,10 +383,12 @@ public async Task WithDifferentScopes_TestAsync()
.WithRedirectUri("https://login.microsoftonline.com/common/oauth2/nativeclient")
.Build();

#pragma warning disable CS0618 // Type or member is obsolete
var userAuthResult = await pca
.AcquireTokenByUsernamePassword(s_oboServiceScope, user1.Upn, user1.GetOrFetchPassword())
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
#pragma warning restore CS0618

var cca = BuildCCA(userAuthResult.TenantId);

Expand Down
Loading