AOT-Compatible Web API Authentication for .NET 10+ by Copilot · Pull Request #3705 · AzureAD/microsoft-identity-web

Copilot · 2026-02-04T01:49:12Z

AOT-Compatible Web API Authentication for .NET 10+

Summary

Adds AddMicrosoftIdentityWebApiAot() - an AOT-compatible alternative to AddMicrosoftIdentityWebApi() that uses MicrosoftIdentityApplicationOptions (Abstractions 11) instead of the reflection-heavy MicrosoftIdentityOptions. OBO works automatically with just AddMicrosoftIdentityWebApiAot() + AddTokenAcquisition().

New API (`NET10_0_OR_GREATER` only)

Example 1 - Source-generated configuration binding

The caller passes azureAdSection.Bind(options) as the configure delegate. With the <EnableConfigurationBindingGenerator>true</EnableConfigurationBindingGenerator> MSBuild property in the project file, the .NET source generator produces compile-time binding code for that Bind() call — no reflection at runtime, fully AOT-safe.

    var azureAdSection = builder.Configuration.GetSection("AzureAd");

    builder.Services
        .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddMicrosoftIdentityWebApiAot(
            options => azureAdSection.Bind(options),
            JwtBearerDefaults.AuthenticationScheme,
            configureJwtBearerOptions: null);
    builder.Services.AddTokenAcquisition();

Example 2 - Programmatic configuration

    builder.Services
        .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddMicrosoftIdentityWebApiAot(options =>
        {
            options.Instance = "https://login.microsoftonline.com/";
            options.TenantId = "contoso.onmicrosoft.com";
            options.ClientId = "your-api-client-id";
        }, JwtBearerDefaults.AuthenticationScheme, null);
    builder.Services.AddTokenAcquisition();

Key Design Decisions

PostConfigure validation - validates final merged config after customer overrides
Shared helpers (IdentityOptionsHelpers) - common logic (issuer/audience validation, token storage) used by both AOT and non-AOT paths
Non-breaking - existing APIs unchanged; new APIs are additive and conditionally compiled

Files

New	Purpose
`Internal/IdentityOptionsHelpers.cs`	Shared helpers: authority building, audience/issuer validation, token storage
`WebApiExtensions/...BuilderExtensions.Aot.cs`	`AddMicrosoftIdentityWebApiAot()` extension methods
`PostConfigureOptions/...PostConfigurator.cs`	Post-configuration: validation, audience, OBO setup
`WebApiExtensionsAotTests.cs`	Unit tests for all AOT methods

Testing

All TFMs build (net462, net472, netstandard2.0, net8.0, net9.0, net10.0)
11+ unit tests covering registration, authority building, audience validation, OBO chaining, customer overrides, error handling

jmprieur

@copilot this is a great start

I left a comment (one implementation to change slightly for backwards compatibility of the options validation)

jennyf19

Will there be tests added? and maybe yes to dropping b2c in the AOT path

jmprieur · 2026-02-04T03:06:37Z

Will there be tests added? and maybe yes to dropping b2c in the AOT path

Yes tests are next. I first want to test I this does not break the current behavior at all (as I've factorized code)
Then I'll create the new tests and the AoT. A good candidate would be the sidecar. Unfortunately it's on net9 and the OpenApi has changed a lot between 9 and 10 .. so a lot of work

Dropping b2c ... what I asked this afternoon ...

jmprieur

@copilot: can you please add the unit tests for the classes you added.
We'll do the integration tests together tomorrow

Copilot · 2026-02-04T04:57:00Z

@copilot: can you please add the unit tests for the classes you added.
We'll do the integration tests together tomorrow

Added comprehensive unit tests in commit fcac19b (WebApiExtensionsAotTests.cs). Tests cover:

Service registration for both overloads
Authority building (AAD and B2C)
Audience validation setup
OBO support via OnTokenValidated chaining
PostConfigurator behavior
Customer override scenarios
Validation error handling

Tests will run once Microsoft.Identity.Abstractions 11.0.0 is published or built locally.

Copilot

Pull request overview

This PR adds AOT-compatible Web API authentication methods for .NET 10+ that use MicrosoftIdentityApplicationOptions instead of the reflection-heavy MicrosoftIdentityOptions. The implementation introduces new extension methods AddMicrosoftIdentityWebApiAot(), shared helper utilities, and a post-configurator for validation and OBO support.

Changes:

Added new AOT-compatible extension methods for Web API authentication (NET10_0_OR_GREATER only)
Introduced shared helper methods in IdentityOptionsHelpers for authority building, validation, and token storage
Created a post-configurator for JWT Bearer options that validates and configures authentication after all options are merged
Modified existing code to use shared helpers and added AOT-compatible configuration binding for .NET 10+

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
`tests/Microsoft.Identity.Web.Test/WebApiExtensionsAotTests.cs`	Comprehensive unit tests for AOT extension methods covering service registration, configuration, validation, and OBO support
`tests/Microsoft.Identity.Web.AotCompatibility.TestApp/Program.cs`	Test application demonstrating AOT-compatible API usage with WebApplication.CreateSlimBuilder
`tests/Microsoft.Identity.Web.AotCompatibility.TestApp/Microsoft.Identity.Web.AotCompatibility.TestApp.csproj`	Updated target framework to net10.0 with PublishAot enabled
`src/Microsoft.Identity.Web/WebApiExtensions/MicrosoftIdentityWebApiAuthenticationBuilderExtensions.cs`	Made class partial to support AOT extension file
`src/Microsoft.Identity.Web/WebApiExtensions/MicrosoftIdentityWebApiAuthenticationBuilderExtensions.Aot.cs`	New AOT-compatible extension methods with configuration section and programmatic overloads
`src/Microsoft.Identity.Web/WebApiExtensions/MicrosoftIdentityWebApiAuthenticationBuilder.cs`	Refactored to use shared token storage helper
`src/Microsoft.Identity.Web/PublicAPI/net*.0/InternalAPI.Unshipped.txt`	Added internal API entries for IdentityOptionsHelpers and PostConfigurator across all target frameworks
`src/Microsoft.Identity.Web/PublicAPI/net10.0/PublicAPI.Unshipped.txt`	Added public API entries for the two AddMicrosoftIdentityWebApiAot overloads
`src/Microsoft.Identity.Web/PostConfigureOptions/MicrosoftIdentityJwtBearerOptionsPostConfigurator.cs`	New post-configurator that validates options and configures JWT Bearer authentication (validation, authority, audience, issuer, token decryption, OBO)
`src/Microsoft.Identity.Web/Internal/IdentityOptionsHelpers.cs`	Shared helper methods for authority building, validation, audience configuration, and token storage chaining
`src/Microsoft.Identity.Web.TokenAcquisition/WebApiBuilders.cs`	Updated to use MicrosoftIdentityOptionsBinder for NET10_0_OR_GREATER
`src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net*.0/InternalAPI.Unshipped.txt`	Added MicrosoftIdentityOptionsBinder to internal API surface
`src/Microsoft.Identity.Web.TokenAcquisition/Microsoft.Identity.Web.TokenAcquisition.csproj`	Updated IsAotCompatible and EnableConfigurationBindingGenerator to net10.0
`src/Microsoft.Identity.Web.TokenAcquisition/Internal/MicrosoftIdentityOptionsBinder.cs`	New AOT-compatible configuration binder for MicrosoftIdentityOptions (manually binds properties without reflection)

Copilot AI assigned Copilot and jmprieur Feb 4, 2026

Copilot started work on behalf of jmprieur February 4, 2026 01:49 View session

Copilot AI changed the title ~~[WIP] Update web APIs for AoT compatibility and simplify OBO flow~~ Add AOT-compatible Web API authentication for .NET 10+ Feb 4, 2026

Copilot AI requested a review from jmprieur February 4, 2026 02:11

Copilot finished work on behalf of jmprieur February 4, 2026 02:11

jmprieur mentioned this pull request Feb 4, 2026

Add AOT-compatible Web API authentication for .NET 10+ (without factorization) #3704

Closed

20 tasks