Microsoft.Identity.Client.Extensions.Msal

Equivalent to calling open() with flags O_CREAT|O_WRONLY|O_TRUNC. O_TRUNC will truncate the file. See https://man7.org/linux/man-pages/man2/open.2.html

Creates a new file with "600" permissions (i.e. read / write only by the owner) and writes some data to it. On Windows, file security is more complex, but an equivalent is achieved.

This logic will not work on Mono, see https://github.com/NuGet/NuGet.Client/commit/d62db666c710bf95121fe8f5c6a6cbe01985456f

Based on https://stackoverflow.com/questions/45132081/file-permissions-on-linux-unix-with-net-core and on https://github.com/NuGet/NuGet.Client/commit/d62db666c710bf95121fe8f5c6a6cbe01985456f

Windows has a more complex file security system. "600" mode, i.e. read/write for owner translates to this in Windows.

Deletes the cache

Reads the cache

Unprotected cache

Writes the cache

Unprotected cache

Create an ICacheAccessor that can be used for validating persistence. This must be similar but not identical to the current accessor, so that to avoid overwriting an actual token cache

Event args describing which accounts have been added or removed on a cache change

Gets an enumerable of for each account added to the cache.

Gets an enumerable of for each account removed from the cache.

Constructs a new instance of this class.

An enumerable of for each account added to the cache. An enumerable of for each account removed from the cache.

Changes the LastWriteTime of the file, without actually writing anything to it.

Creates the file if it does not exist. This operation will enable a to fire.

Helper to create the token cache

The name of the Default KeyRing collection. Secrets stored in this collection are persisted to disk

The name of the Session KeyRing collection. Secrets stored in this collection are not persisted to disk, but will be available for the duration of the user session.

A default logger for use if the user doesn't want to provide their own.

A lock object for serialization

Properties used to create storage on disk.

Holds a lock object when this helper is accessing the cache. Null otherwise.

Storage that handles the storing of the adal cache file on disk. Internal for testing.

Logger to log events to.

Contains a list of accounts that we know about. This is used as a 'before' list when the cache is changed on disk, so that we know which accounts were added and removed. Used when sending the event.

Watches a filesystem location in order to fire events when the cache on disk is changed. Internal for testing.

Allows clients to listen for cache updates originating from disk.

This event does not fire when the application is built against Mono framework, but it does fire on .Net Core on all 3 operating systems.

Gets the current set of accounts in the cache by creating a new public client, and deserializing the cache into a temporary object.

Creates a new instance of this class.

Properties to use when creating storage on disk. Passing null uses a default logger The set of known accounts Watcher for the cache file, to enable sending updated events

An internal constructor allowing unit tests to data explicitly rather than initializing here.

The token cache to synchronize with the backing store The backing store to use. Passing null uses the default logger

Creates a new instance of . To configure MSAL to use this cache persistence, call

Properties to use when creating storage on disk. Passing null uses the default TraceSource logger. See https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet/wiki/Logging for details. A new instance of .

Gets the user's root directory across platforms.

Registers a token cache to synchronize with the persistent storage.

The application token cache, typically referenced as Call to have the given token cache stop synchronizing.

Unregisters a token cache so it no longer synchronizes with on disk storage.

Clears the token store. Equivalent to a delete operation on the persistence layer (file delete).

Apps should use MSAL's RemoveAccount to delete accounts, which is guaranteed to remove confidential information about that account. The token cache also contains metadata required for MSAL to operate, degrading the experience and perf when deleted.

Extracts the token cache data from the persistent store

an UTF-8 byte array of the unencrypted token cache This method should be used with care. The data returned is unencrypted.

Saves an unencrypted, UTF-8 encoded byte array representing an MSAL token cache. The save operation will persist the data in a secure location, as configured in

Gets a new instance of a lock for synchronizing against a cache made with the same creation properties.

Before cache access

Callback parameters from MSAL

After cache access

Callback parameters from MSAL

Performs a write -> read -> clear using the underlying persistence mechanism and throws an if something goes wrong.

Does not overwrite the token cache. Should never fail on Windows and Mac where the cache accessors are guaranteed to exist by the OS.

Exception that results when trying to persist data to the underlying OS mechanism (KeyRing, KeyChain, DPAPI) Inspect inner exception for details.

A cross-process lock that works on all platforms, implemented using files. Does not ensure thread safety, i.e. 2 threads from the same process will pass through this lock.

Thread locking should be done using or another such primitive.

Creates a file lock and maintains it until the lock is disposed. Any other process trying to get the lock will wait (spin waiting) until the lock is released. Works on Windows, Mac and Linux.

The path of the lock file, e.g. {MsalCacheHelper.UserRootDirectory}/MyAppsSecrets.lockfile Delay between each attempt to get the lock. Defaults to 100ms How many times to try to get the lock before bailing. Defaults to 600 times. This class is experimental and may be removed from the public API.

Releases the lock

Error returned by libsecret library if saving or retrieving fails https://developer.gnome.org/glib/stable/glib-Error-Reporting.html

error domain

error code

detailed error message

Data structures and methods required for saving and retrieving secret using keyring in linux https://developer.gnome.org/libsecret/0.18/

type of the attribute of the schema for the secret store

string attribute

integer attribute

boolean attribute

flags for the schema creation

no specific flag

during matching of the schema, set this flag to skip matching the name

creates a schema for saving secret

Name of the schema flags to skip matching name for comparison first attribute of the schema type of the first attribute second attribute of the schema type of the second attribute null parameter to indicate end of attributes a schema for saving and retrieving secret

saves a secret in the secret store using the keyring

schema for saving secret collection where to save the secret label of the secret the secret to save optional GCancellable object or null error encountered during saving type of the first attribute value of the first attribute type of the second attribute value of the second attribute null parameter to indicate end of attributes whether the save is successful or not

retrieve a secret from the secret store using the keyring

schema for retrieving secret optional GCancellable object or null >error encountered during retrieval type of the first attribute value of the first attribute type of the second attribute value of the second attribute null parameter to indicate end of attributes the retrieved secret

clears a secret from the secret store using the keyring

schema for the secret optional GCancellable object or null >error encountered during clearing type of the first attribute value of the first attribute type of the second attribute value of the second attribute null parameter to indicate end of attributes the retrieved secret

Get the real user ID of the calling process.

the real user ID of the calling process

Open the default keychain (current user's login keychain).

Optional namespace to scope credential operations. Default keychain.

A set of utilities shared between service and client

default base cache path

Is this a windows platform

A value indicating if we are running on windows or not

Is this a MAC platform

A value indicating if we are running on mac or not

Is this a linux platform

A value indicating if we are running on linux or not

Is this running on mono

A value indicating if we are running on mono or not

Instantiates the process if not done already and retrieves the id of the process. Caches it for the next call.

process id

Instantiates the process if not done already and retrieves the name of the process. Caches it for the next call

process name

Generate the default file location

Root directory

An immutable class containing information required to instantiate storage objects for MSAL caches in various platforms.

This constructor is intentionally internal. To get one of these objects use .

Gets the full path to the cache file, combining the directory and filename.

The name of the cache file.

The name of the directory containing the cache file.

The mac keychain service name.

The mac keychain account name.

The linux keyring schema name.

The linux keyring collection.

The linux keyring secret label.

Additional linux keyring attribute.

The delay between retries if a lock is contended and a retry is requested. (in ms)

Flag which indicates that a plaintext file will be used on Linux for secret storage

Flag which indicates that a plaintext file will be used on all OSes for secret storage

The number of time to retry the lock if it is contended and retrying is possible

The client id.

Only required for the MsalCacheHelper.CacheChanged event

The authority

Only required for the MsalCacheHelper.CacheChanged event

An incremental builder for objects.

Constructs a new instance of this builder associated with the given cache file.

The name of the cache file to use when creating or opening storage. The name of the directory containing the cache file. The client id for the calling application

Constructs a new instance of this builder associated with the given cache file.

The name of the cache file to use when creating or opening storage. The name of the directory containing the cache file.

Returns an immutable instance of matching the configuration of this builder.

An immutable instance of matching the configuration of this builder.

Augments this builder with mac keychain values and returns the augmented builder.

The mac keychain service name The mac keychain account name The augmented builder

Enables the use of the MsalCacheHelper.CacheChanged event, which notifies about accounts added and removed. These accounts are scoped to the client_id and authority specified here.

The client id for which you wish to receive notifications The authority for which you wish to receive notifications The augmented builder

Augments this builder with a custom retry amount and delay between retries in the cases where a lock is used.

Delay between retries in ms, must be 1 or more Number of retries, must be 1 or more The augmented builder

Augments this builder with Linux KeyRing values and returns the augmented builder.

Schema name, e.g. "com.contoso.app". It is a logical container of secrets, similar to a namespace. A collection aggregates multiple schema. KeyRing defines 2 collections - "default' is a persisted schema and "session" is an in-memory schema that is destroyed on logout. A user readable label for the secret, e.g. "Credentials used by Contoso apps" Additional string attribute that will be used to decorate the secret. Additional string attribute that will be used to decorate the secret The augmented builder Attributes are used like scoping keys - their name and values must match the secrets in the KeyRing. A suggested pattern is to use a product name (or a group of products) and a version. If you need to increment the version, the secrets associated with the old version will be ignored.

Use to allow storage of secrets in the cacheFile which was configured in the constructor of this class. WARNING Secrets are stored in PLAINTEXT! Should be used as a fallback for cases where Linux LibSecret is not available, for example over SSH connections. Users are responsible for security.

You can check if the persistence is available by calling msalCacheHelper.VerifyPersistence() For more details see https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet/blob/main/docs/keyring_fallback_proposal.md

Use to allow storage of secrets in the cacheFile which was configured in the constructor of this class. WARNING Secrets are stored in PLAINTEXT! The application is responsible for storing the plaintext file in a secure location, such as an encrypted drive or ACL directory. Should be used as a fall-back for cases where encrypted persistence is not available, for example: - Linux and Mac over SSH connections - Certain virtualized Windows scenarios where DPAPI is not available

Wrapper over persistence layer. Does not use cross-process locking. To add cross-process locking, wrap calls with

Consider using the higher level

The storage creation properties used to create this storage

A default logger for use if the user doesn't want to provide their own.

Initializes a new instance of the class. The actual cache reading and writing is OS specific: Windows DPAPI encrypted file on behalf of the user. Mac Cache is stored in KeyChain. Linux Cache is stored in Gnome KeyRing - https://developer.gnome.org/libsecret/0.18/

Properties for creating the cache storage on disk logger

Read and unprotect cache data

Unprotected cache data

Protect and write cache data to file. It overrides existing data.

Cache data

Delete cache file

Throw on exceptions

Tries to write -> read -> clear a secret from the underlying persistence mechanism

An unexpected error occurred in interop-code.

Native error code.