Microsoft.Identity.Client
Contains information of a single account. A user can be present in multiple directories and thus have multiple accounts.
This information is used for token cache lookup and enforcing the user session on the STS authorize endpoint.
Constructor
Home account id in "uid.utid" format; can be null, for example when migrating the ADAL v3 cache
UPN style , can be null
Identity provider for this account, e.g. login.microsoftonline.com
An identifier for an account in a specific tenant. Returned by
Unique identifier for the account
For Azure AD, the identifier is the concatenation of and separated by a dot.
Contrary to what was happening in ADAL.NET, these two segments are no longer base64 encoded.
For Azure AD, a string representation for a Guid which is the Object ID of the user owning the account in the tenant
For Azure AD, a string representation for a Guid, which is the ID of the tenant where the account resides.
Constructor of an AccountId
Unique identifier for the account.
A string representation for a GUID which is the ID of the user owning the account in the tenant
A string representation for a GUID, which is the ID of the tenant where the account resides
Two accounts are equal when their properties match
GetHashCode implementation to match
Textual description of an
Base class for builders of token requests, which attempt to acquire a token
based on the provided parameters
Executes the Token request asynchronously, with a possibility of cancelling the
asynchronous method.
Cancellation token. See
Authentication result containing a token for the requested scopes and parameters
set in the builder
Cancellation is not guaranteed, it is best effort. If the operation reaches a point of no return, e.g.
tokens are acquired and written to the cache, the task will complete even if cancellation was requested.
Do not rely on cancellation tokens for strong consistency.
Executes the Token request asynchronously.
Authentication result containing a token for the requested scopes and parameters
set in the builder
Specifies which scopes to request
Scopes requested to access a protected API
The builder to chain the .With methods
Sets Extra Query Parameters for the query string in the HTTP authentication request
This parameter will be appended as is to the query string in the HTTP authentication request to the authority
as a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
The builder to chain the .With methods
Sets claims in the query. Use when the AAD admin has enabled conditional access. Acquiring the token normally will result in a
with the property set. Retry the
token acquisition, and use this value in the method. See https://aka.ms/msal-exceptions for details
A string with one or multiple claims.
The builder to chain .With methods
Sets Extra Query Parameters for the query string in the HTTP authentication request
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
The string needs to be properly URL-encdoded and ready to send as a string of segments of the form key=value separated by an ampersand character.
Specific authority for which the token is requested. Passing a different value than configured
at the application constructor narrows down the selection to a specific tenant.
This does not change the configured value in the application. This is specific
to applications managing several accounts (like a mail client with several mailboxes).
See https://aka.ms/msal-net-application-configuration
Uri for the authority. In the case when the authority URI is
a known Azure AD URI, this setting needs to be consistent with what is declared in
the application registration portal
Whether the authority should be validated against the server metadata.
The builder to chain the .With methods
Adds a known Azure AD authority to the application to sign-in users from a single
organization (single tenant application) specified by its tenant ID. See https://aka.ms/msal-net-application-configuration.
Azure Cloud instance
Guid of the tenant from which to sign-in users
Whether the authority should be validated against the server metadata.
The builder to chain the .With methods
Adds a known Azure AD authority to the application to sign-in users from a single
organization (single tenant application) described by its domain name. See https://aka.ms/msal-net-application-configuration.
Uri to the Azure Cloud instance (for instance
https://login.microsoftonline.com)
domain name associated with the tenant from which to sign-in users
Whether the authority should be validated against the server metadata.
can also contain the string representation of a GUID (tenantId),
or even common, organizations or consumers but in this case
it's recommended to use another override (
and
The builder to chain the .With methods
Adds a known Azure AD authority to the application to sign-in users from a single
organization (single tenant application) described by its cloud instance and its tenant ID.
See https://aka.ms/msal-net-application-configuration.
Instance of Azure Cloud (for instance Azure
worldwide cloud, Azure German Cloud, US government ...)
Tenant Id of the tenant from which to sign-in users
Whether the authority should be validated against the server metadata.
The builder to chain the .With methods
Adds a known Azure AD authority to the application to sign-in users from a single
organization (single tenant application) described by its cloud instance and its domain
name or tenant ID. See https://aka.ms/msal-net-application-configuration.
Instance of Azure Cloud (for instance Azure
worldwide cloud, Azure German Cloud, US government ...)
Domain name associated with the Azure AD tenant from which
Whether the authority should be validated against the server metadata.
to sign-in users. This can also be a guid
The builder to chain the .With methods
Adds a known Azure AD authority to the application to sign-in users specifying
the cloud instance and the sign-in audience. See https://aka.ms/msal-net-application-configuration.
Instance of Azure Cloud (for instance Azure
worldwide cloud, Azure German Cloud, US government ...)
Sign-in audience (one AAD organization,
any work and school accounts, or any work and school accounts and Microsoft personal
accounts
Whether the authority should be validated against the server metadata.
The builder to chain the .With methods
Adds a known Azure AD authority to the application to sign-in users specifying
the sign-in audience (the cloud being the Azure public cloud). See https://aka.ms/msal-net-application-configuration.
Sign-in audience (one AAD organization,
any work and school accounts, or any work and school accounts and Microsoft personal
accounts
Whether the authority should be validated against the server metadata.
The builder to chain the .With methods
Adds a known Authority corresponding to an ADFS server. See https://aka.ms/msal-net-adfs
Authority URL for an ADFS server
Whether the authority should be validated against the server metadata.
MSAL.NET will only support ADFS 2019 or later.
The builder to chain the .With methods
Adds a known authority corresponding to an Azure AD B2C policy.
See https://aka.ms/msal-net-b2c-specificities
Azure AD B2C authority, including the B2C policy (for instance
"https://fabrikamb2c.b2clogin.com/tfp/{Tenant}/{policy})
The builder to chain the .With methods
Validates the parameters of the AcquireToken operation.
Base class for parameter builders common to public client application and confidential
client application token acquisition operations
Base class for confidential client application token request builders
Base class for public client application token request builders
Builder for AcquireTokenByAuthorizationCode
Builder for AcquireTokenByIntegratedWindowsAuth
Specifies the username.
Identifier of the user account for which to acquire a token with
Integrated Windows authentication. Generally in UserPrincipalName (UPN) format,
e.g. john.doe@contoso.com
The builder to chain the .With methods
Parameter builder for the
method. See https://aka.ms/msal-net-migration-adal2-msal2
Parameter builder for the
operation. See https://aka.ms/msal-net-up
Builder for AcquireTokenForClient (used in client credential flows, in daemon applications).
See https://aka.ms/msal-net-client-credentials
Specifies if the token request will ignore the access token in the application token cache
and will attempt to acquire a new access token using client credentials.
By default the token is taken from the application token cache (forceRefresh=false)
If true, the request will ignore the token cache. The default is false
The builder to chain the .With methods
Specifies if the x5c claim (public key of the certificate) should be sent to the STS.
Sending the x5x enables application developers to achieve easy certificate roll-over in Azure AD:
this method will send the public certificate to Azure AD along with the token request,
so that Azure AD can use it to validate the subject name based on a trusted issuer policy.
This saves the application admin from the need to explicitly manage the certificate rollover
(either via portal or powershell/CLI operation)
true if the x5c should be sent. Otherwise false.
The default is false
The builder to chain the .With methods
Builder for an Interactive token request. See https://aka.ms/msal-net-acquire-token-interactively
Specifies if the public client application should used an embedded web browser
or the system default browser
If true, will use an embedded web browser,
otherwise will attempt to use a system web browser. The default depends on the platform:
false for Xamarin.iOS and Xamarin.Android, and true for .NET Framework,
and UWP
The builder to chain the .With methods
Sets the , in order to avoid select account
dialogs in the case the user is signed-in with several identities. This method is mutually exclusive
with . If both are used, an exception will be thrown
Identifier of the user. Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
The builder to chain the .With methods
Sets the account for which the token will be retrieved. This method is mutually exclusive
with . If both are used, an exception will be thrown
Account to use for the interactive token acquisition. See for ways to get an account
The builder to chain the .With methods
Scopes that you can request the end user to consent upfront,
in addition to the scopes for the protected Web API for which you want to acquire a security token.
The builder to chain the .With methods
Specifies the what the interactive experience is for the user.
Requested interactive experience. The default is
The builder to chain the .With methods
Sets a reference to the ViewController (if using Xamarin.iOS), Activity (if using Xamarin.Android)
IWin32Window or IntPtr (if using .Net Framework). Used for invoking the browser.
Mandatory only on Android. Can also be set via the PublicClientApplcation builder.
The parent as an object, so that it can be used from shared NetStandard assemblies
The builder to chain the .With methods
Builder for AcquireTokenOnBehalfOf (OBO flow)
See https://aka.ms/msal-net-on-behalf-of
Specifies if the x5c claim (public key of the certificate) should be sent to the STS.
Sending the x5c enables application developers to achieve easy certificate roll-over in Azure AD:
this method will send the public certificate to Azure AD along with the token request,
so that Azure AD can use it to validate the subject name based on a trusted issuer policy.
This saves the application admin from the need to explicitly manage the certificate rollover
(either via portal or powershell/CLI operation)
true if the x5c should be sent. Otherwise false.
The default is false
The builder to chain the .With methods
Parameter builder for the
operation. See https://aka.ms/msal-net-acquiretokensilent
Specifies if the client application should force refreshing the
token from the user token cache. By default the token is taken from the
the application token cache (forceRefresh=false)
If true, ignore any access token in the user token cache
and attempt to acquire new access token using the refresh token for the account
if one is available. This can be useful in the case when the application developer wants to make
sure that conditional access policies are applied immediately, rather than after the expiration of the access token.
The default is false
The builder to chain the .With methods
Avoid un-necessarily setting to true true in order to
avoid negatively affecting the performance of your application
Parameters builder for the
operation. See https://aka.ms/msal-net-device-code-flow
Sets the Callback delegate so your application can
interact with the user to direct them to authenticate (to a specific URL, with a code)
callback containing information to show the user about how to authenticate
and enter the device code.
The builder to chain the .With methods
NOTE: a few of the methods in AbstractAcquireTokenParameterBuilder (e.g. account) don't make sense here.
Do we want to create a further base that contains ALL of the common methods, and then have another one including
account, etc
that are only used for AcquireToken?
Sets the redirect URI to add to the Authorization request URL
Address to return to upon receiving a response from the authority.
Specifies which Microsoft accounts can be used for sign-in with a given application.
See https://aka.ms/msal-net-application-configuration
The sign-in audience was not specified
Users with a Microsoft work or school account in my organization’s Azure AD tenant (i.e. single tenant).
Maps to https://[instance]/[tenantId]
Users with a personal Microsoft account, or a work or school account in any organization’s Azure AD tenant
Maps to https://[instance]/common/
Users with a Microsoft work or school account in any organization’s Azure AD tenant (i.e. multi-tenant).
Maps to https://[instance]/organizations/
Users with a personal Microsoft account. Maps to https://[instance]/consumers/
Uses a specific to communicate
with the IdP. This enables advanced scenarios such as setting a proxy,
or setting the Agent.
HTTP client factory
MSAL does not guarantee that it will not modify the HttpClient, for example by adding new headers.
The builder to chain the .With methods
Sets the logging callback. For details see https://aka.ms/msal-net-logging
Desired level of logging. The default is LogLevel.Info
Boolean used to enable/disable logging of
Personally Identifiable Information (PII).
PII logs are never written to default outputs like Console, Logcat or NSLog
Default is set to false, which ensures that your application is compliant with GDPR.
You can set it to true for advanced debugging requiring PII
Flag to enable/disable logging to platform defaults.
In Desktop/UWP, Event Tracing is used. In iOS, NSLog is used.
In android, logcat is used. The default value is false
The builder to chain the .With methods
is thrown if the loggingCallback
was already set on the application builder
Sets the Debug logging callback to a default debug method which displays
the level of the message and the message itself. For details see https://aka.ms/msal-net-logging
Desired level of logging. The default is LogLevel.Info
Boolean used to enable/disable logging of
Personally Identifiable Information (PII).
PII logs are never written to default outputs like Console, Logcat or NSLog
Default is set to false, which ensures that your application is compliant with GDPR.
You can set it to true for advanced debugging requiring PII
Flag to enable/disable logging to platform defaults.
In Desktop/UWP, Event Tracing is used. In iOS, NSLog is used.
In android, logcat is used. The default value is false
The builder to chain the .With methods
is thrown if the loggingCallback
was already set on the application builder by calling
Sets the telemetry callback. For details see https://aka.ms/msal-net-telemetry
Delegate to the callback sending the telemetry
elaborated by the library to the telemetry endpoint of choice
The builder to chain the .With methods
is thrown if the method was already
called on the application builder.
Sets the Client ID of the application
Client ID (also known as Application ID) of the application as registered in the
application registration portal (https://aka.ms/msal-net-register-app)
The builder to chain the .With methods
Sets the redirect URI of the application. See https://aka.ms/msal-net-application-configuration
URL where the STS will call back the application with the security token.
This parameter is not required for desktop or UWP applications (as a default is used).
It's not required for mobile applications that don't use a broker
It is required for Web Apps
The builder to chain the .With methods
Sets the Tenant Id of the organization from which the application will let
users sign-in. This is classically a GUID or a domain name. See https://aka.ms/msal-net-application-configuration.
Although it is also possible to set to common,
organizations, and consumers, it's recommended to use one of the
overrides of
tenant ID of the Azure AD tenant
or a domain associated with this Azure AD tenant, in order to sign-in a user of a specific organization only
The builder to chain the .With methods
Sets the name of the calling application for telemetry purposes.
The name of the application for telemetry purposes.
Sets the version of the calling application for telemetry purposes.
The version of the calling application for telemetry purposes.
Sets application options, which can, for instance have been read from configuration files.
See https://aka.ms/msal-net-application-configuration.
Application options
The builder to chain the .With methods
Sets Extra Query Parameters for the query string in the HTTP authentication request
This parameter will be appended as is to the query string in the HTTP authentication request to the authority
as a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
The builder to chain the .With methods
Sets Extra Query Parameters for the query string in the HTTP authentication request
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
The string needs to be properly URL-encdoded and ready to send as a string of segments of the form key=value separated by an ampersand character.
Generate MATS telemetry aggregation events.
TODO(mats): make this public when we're ready to turn it on.
Adds a known authority to the application from its Uri. See https://aka.ms/msal-net-application-configuration.
This constructor is mainly used for scenarios where the authority is not a standard Azure AD authority,
nor an ADFS authority, nor an Azure AD B2C authority. For Azure AD, even in national and sovereign clouds, prefer
using other overrides such as
Uri of the authority
Whether the authority should be validated against the server metadata.
The builder to chain the .With methods
Adds a known Azure AD authority to the application to sign-in users from a single
organization (single tenant application) specified by its tenant ID. See https://aka.ms/msal-net-application-configuration.
Azure Cloud instance
Guid of the tenant from which to sign-in users
Whether the authority should be validated against the server metadata.
The builder to chain the .With methods
Adds a known Azure AD authority to the application to sign-in users from a single
organization (single tenant application) described by its domain name. See https://aka.ms/msal-net-application-configuration.
Uri to the Azure Cloud instance (for instance
https://login.microsoftonline.com)
domain name associated with the tenant from which to sign-in users
Whether the authority should be validated against the server metadata.
can also contain the string representation of a GUID (tenantId),
or even common, organizations or consumers but in this case
it's recommended to use another override (
and
The builder to chain the .With methods
Adds a known Azure AD authority to the application to sign-in users from a single
organization (single tenant application) described by its cloud instance and its tenant ID.
See https://aka.ms/msal-net-application-configuration.
Instance of Azure Cloud (for instance Azure
worldwide cloud, Azure German Cloud, US government ...)
Tenant Id of the tenant from which to sign-in users
Whether the authority should be validated against the server metadata.
The builder to chain the .With methods
Adds a known Azure AD authority to the application to sign-in users from a single
organization (single tenant application) described by its cloud instance and its domain
name or tenant ID. See https://aka.ms/msal-net-application-configuration.
Instance of Azure Cloud (for instance Azure
worldwide cloud, Azure German Cloud, US government ...)
Domain name associated with the Azure AD tenant from which
Whether the authority should be validated against the server metadata.
to sign-in users. This can also be a guid
The builder to chain the .With methods
Adds a known Azure AD authority to the application to sign-in users specifying
the cloud instance and the sign-in audience. See https://aka.ms/msal-net-application-configuration.
Instance of Azure Cloud (for instance Azure
worldwide cloud, Azure German Cloud, US government ...)
Sign-in audience (one AAD organization,
any work and school accounts, or any work and school accounts and Microsoft personal
accounts
Whether the authority should be validated against the server metadata.
The builder to chain the .With methods
Adds a known Azure AD authority to the application to sign-in users specifying
the sign-in audience (the cloud being the Azure public cloud). See https://aka.ms/msal-net-application-configuration.
Sign-in audience (one AAD organization,
any work and school accounts, or any work and school accounts and Microsoft personal
accounts
Whether the authority should be validated against the server metadata.
The builder to chain the .With methods
Adds a known Azure AD authority to the application to sign-in users specifying
the full authority Uri. See https://aka.ms/msal-net-application-configuration.
URL of the security token service (STS) from which MSAL.NET will acquire the tokens.
Usual authorities endpoints for the Azure public Cloud are:
- https://login.microsoftonline.com/tenant/ where tenant is the tenant ID of the Azure AD tenant
or a domain associated with this Azure AD tenant, in order to sign-in users of a specific organization only
- https://login.microsoftonline.com/common/ to sign-in users with any work and school accounts or Microsoft personal account
- https://login.microsoftonline.com/organizations/ to sign-in users with any work and school accounts
- https://login.microsoftonline.com/consumers/ to sign-in users with only personal Microsoft accounts (live)
Note that this setting needs to be consistent with what is declared in the application registration portal
Whether the authority should be validated against the server metadata.
The builder to chain the .With methods
Adds a known Authority corresponding to an ADFS server. See https://aka.ms/msal-net-adfs
Authority URL for an ADFS server
Whether the authority should be validated against the server metadata.
MSAL.NET will only support ADFS 2019 or later.
The builder to chain the .With methods
Adds a known authority corresponding to an Azure AD B2C policy.
See https://aka.ms/msal-net-b2c-specificities
Azure AD B2C authority, including the B2C policy (for instance
"https://fabrikamb2c.b2clogin.com/tfp/{Tenant}/{policy})
The builder to chain the .With methods
Should _not_ go in the interface, only for builder usage while determining authorities with ApplicationOptions
Should _not_ go in the interface, only for builder usage while determining authorities with ApplicationOptions
Should _not_ go in the interface, only for builder usage while determining authorities with ApplicationOptions
Base class for options objects with string values loadable from a configuration file
(for instance a JSON file, as in an asp.net configuration scenario)
See https://aka.ms/msal-net-application-configuration
See also derived classes
and
Client ID (also known as App ID) of the application as registered in the
application registration portal (https://aka.ms/msal-net-register-app)
Tenant from which the application will allow users to sign it. This can be:
a domain associated with a tenant, a guid (tenant id), or a meta-tenant (e.g. consumers).
This property is mutually exclusive with . If both
are provided, an exception will be thrown.
The name of the property was chosen to ensure compatibility with AzureAdOptions
in ASP.NET Core configuration files (even the semantics would be tenant)
Sign-in audience. This property is mutually exclusive with TenantId. If both
are provided, an exception will be thrown.
STS instance (for instance https://login.microsoftonline.com for the Azure public cloud).
The name was chosen to ensure compatibility with AzureAdOptions in ASP.NET Core.
This property is mutually exclusive with . If both
are provided, an exception will be thrown.
Specific instance in the case of Azure Active Directory.
It allows users to use the enum instead of the explicit url.
This property is mutually exclusive with . If both
are provided, an exception will be thrown.
The redirect URI (also known as Reply URI or Reply URL), is the URI at which Azure AD will contact back the application with the tokens.
This redirect URI needs to be registered in the app registration (https://aka.ms/msal-net-register-app).
In MSAL.NET, IPublicClientApplication defines the following default RedirectUri values:
- urn:ietf:wg:oauth:2.0:oob for desktop (.NET Framework and .NET Core) applications
- msal{ClientId} for Xamarin iOS and Xamarin Android without broker (as this will be used by the system web browser by default on these
platforms to call back the application)
These default URIs could change in the future.
For Web Apps and Web APIs, the redirect URI can be the URL of the application
For daemon applications (confidential client applications using only the Client Credential flow
that is calling AcquireTokenForClient), no reply URI is needed.
This is especially important when you deploy an application that you have initially tested locally;
you then need to add the reply URL of the deployed application in the application registration portal
Enables you to configure the level of logging you want. The default value is . Setting it to will only get errors
Setting it to will get errors and warning, etc..
See https://aka.ms/msal-net-logging
Flag to enable/disable logging of Personally Identifiable Information (PII).
PII logs are never written to default outputs like Console, Logcat or NSLog
Default is set to false, which ensures that your application is compliant with GDPR. You can set
it to true for advanced debugging requiring PII. See https://aka.ms/msal-net-logging
Flag to enable/disable logging to platform defaults. In Desktop/UWP, Event Tracing is used. In iOS, NSLog is used.
In Android, logcat is used. The default value is false. See https://aka.ms/msal-net-logging
Identifier of the component (libraries/SDK) consuming MSAL.NET.
This will allow for disambiguation between MSAL usage by the app vs MSAL usage by component libraries.
The name of the calling application for telemetry purposes.
The version of the calling application for telemetry purposes.
Value communicating that the AzureCloudInstance is not specified.
Microsoft Azure public cloud. Maps to https://login.microsoftonline.com
Microsoft Chinese national cloud. Maps to https://login.chinacloudapi.cn
Microsoft German national cloud ("Black Forest"). Maps to https://login.microsoftonline.de
US Government cloud. Maps to https://login.microsoftonline.us
Constructor of a ConfidentialClientApplicationBuilder from application configuration options.
See https://aka.ms/msal-net-application-configuration
Public client applications configuration options
A from which to set more
parameters, and to create a public client application instance
Creates a ConfidentialClientApplicationBuilder from a clientID.
See https://aka.ms/msal-net-application-configuration
Client ID (also known as App ID) of the application as registered in the
application registration portal (https://aka.ms/msal-net-register-app)/.
A from which to set more
parameters, and to create a public client application instance
Sets the certificate associated with the application
The X509 certificate used as credentials to prove the identity of the application to Azure AD.
Sets the application secret
Secret string previously shared with AAD at application registration to prove the identity
of the application (the client) requesting the tokens
Builds the ConfidentialClientApplication from the parameters set
in the builder
Configuration options for a confidential client application
(Web app / Web API / daemon app). See https://aka.ms/msal-net/application-configuration
Client secret for the confidential client application. This secret (application password)
is provided by the application registration portal, or provided to Azure AD during the
application registration with PowerShell AzureAD, PowerShell AzureRM, or Azure CLI.
Configuration properties used to build a public or confidential client application
Client ID (also known as App ID) of the application as registered in the
application registration portal (https://aka.ms/msal-net-register-app)
Flag telling if logging of Personally Identifiable Information (PII) is enabled/disabled for
the application. See https://aka.ms/msal-net-logging
used to get HttpClient instances to commmunicate
with the identity provider.
Level of logging requested for the app.
See https://aka.ms/msal-net-logging
Flag telling if logging to platform defaults is enabled/disabled for the app.
In Desktop/UWP, Event Tracing is used. In iOS, NSLog is used.
In Android, logcat is used. See https://aka.ms/msal-net-logging
Redirect URI for the application. See
Audience for the application. See
Callback used for logging. It was set with
See https://aka.ms/msal-net-logging
Callback used for sending telemetry about MSAL.NET out of your app. It was set by a call
to
Extra query parameters that will be applied to every acquire token operation.
See
The name of the calling application for telemetry purposes.
The version of the calling application for telemetry purposes.
Flag to enable authentication with the user currently logeed-in in Windows.
When set to true, the application will try to connect to the corporate network using windows integrated authentication.
ExtendedLifeTimeEnabled is a Boolean that applications can set to true in case when the STS has an outage,
to be more resilient.
Used for debugging and testing.
Factory responsible for creating HttpClient
.Net recommends to use a single instance of HttpClient
Implementations must be thread safe. Consider creating and configuring an HttpClient in the constructor
of the factory, and returning the same object in
Method returning an Http client that will be used to
communicate with Azure AD. This enables advanced scenarios.
See https://aka.ms/msal-net-application-configuration
An Http client
Creates a PublicClientApplicationBuilder from public client application
configuration options. See https://aka.ms/msal-net-application-configuration
Public client applications configuration options
A from which to set more
parameters, and to create a public client application instance
Creates a PublicClientApplicationBuilder from a clientID.
See https://aka.ms/msal-net-application-configuration
Client ID (also known as App ID) of the application as registered in the
application registration portal (https://aka.ms/msal-net-register-app)/.
A from which to set more
parameters, and to create a public client application instance
Flag to enable authentication with the user currently logeed-in in Windows.
When set to true, the application will try to connect to the corporate network using windows integrated authentication.
A from which to set more
parameters, and to create a public client application instance
Configuration options for a public client application (desktop/mobile app).
See https://aka.ms/msal-net/application-configuration
Contains the results of one token acquisition operation in
or . For details see https://aka.ms/msal-net-authenticationresult
Constructor meant to help application developers test their apps. Allows mocking of authentication flows.
App developers should never new-up in product code.
Access Token that can be used as a bearer token to access protected web APIs
Account information
Expiracy date-time for the access token
See
ID token
See
granted scope values as returned by the service
identifier for the Azure AD tenant from which the token was acquired. Can be null
Unique Id of the account. It can be null. When the is not null, this is its ID, that
is its ObjectId claim, or if that claim is null, the Subject claim.
Access Token that can be used as a bearer token to access protected web APIs
In case when Azure AD has an outage, to be more resilient, it can return tokens with
an expiration time, and also with an extended expiration time.
The tokens are then automatically refreshed by MSAL when the time is more than the
expiration time, except when ExtendedLifeTimeEnabled is true and the time is less
than the extended expiration time. This goes in pair with Web APIs middleware which,
when this extended life time is enabled, can accept slightly expired tokens.
Client applications accept extended life time tokens only if
the ExtendedLifeTimeEnabled Boolean is set to true on ClientApplicationBase.
Gets the Unique Id of the account. It can be null. When the is not null, this is its ID, that
is its ObjectId claim, or if that claim is null, the Subject claim.
Gets the point in time in which the Access Token returned in the property ceases to be valid.
This value is calculated based on current UTC time measured locally and the value expiresIn received from the
service.
Gets the point in time in which the Access Token returned in the AccessToken property ceases to be valid in MSAL's extended LifeTime.
This value is calculated based on current UTC time measured locally and the value ext_expiresIn received from the service.
Gets an identifier for the Azure AD tenant from which the token was acquired. This property will be null if tenant information is
not returned by the service.
Gets the account information. Some elements in might be null if not returned by the
service. The account can be passed back in some API overloads to identify which account should be used such
as or
for instance
Gets the Id Token if returned by the service or null if no Id Token is returned.
Gets the granted scope values returned by the service.
Creates the content for an HTTP authorization header from this authentication result, so
that you can call a protected API
Created authorization header of the form "Bearer {AccessToken}"
Here is how you can call a protected API from this authentication result (in the result
variable):
HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Add("Authorization", result.CreateAuthorizationHeader());
HttpResponseMessage r = await client.GetAsync(urlOfTheProtectedApi);
In MSAL.NET 1.x, returned the user who signed in to get the authentication result. From MSAL 2.x
rather use instead. See https://aka.ms/msal-net-2-released for more details.
This interface is for an individual request to access the cache functions.
It is assumed that the implementation will have context about the call
when using the cache manager. In msal, this context means AuthenticationParameters.
Try to read the cache. If a cache hit of any kind is found, return the token(s)
and account information that was discovered.
True if a cache hit of any kind is found, False otherwise.
Given a MsalTokenResponse from the server, cache any relevant entries.
Delete the cached refresh token for this cache context.
Interface to handle transforming unified schema types to/from the ADAL Legacy cache format
and storing/retrieving them to/from the adal cache persistence.
This interface represents raw byte i/o for cache data stored using relative paths (e.g. in memory, file system).
Interface providing mechanism to transform the unified schema types into their appropriate "path"
or "key" for storage/retrieval. For example, on Windows, this will be a relative file system path.
But on iOS/macOS is will be a path to keychain storage.
This is the in-memory cache implementation. This should be used when a developer wants
to persist the cache data on their own (e.g. in a distributed cloud environment).
Returns list of relative paths at this directory, and downwards if recurse is true.
Equivalence layer with MSAL C++ and other native platforms for handing read/write/query operations
on the various credential and account types in the unified cache.
Also provides (on msal.net) access to the Adal Legacy Cache Manager for ensuring legacy cache interop
during storage access.
This does most of the raw work of IStorageManager but without knowledge of cross cutting concerns
like telemetry.
TODO: this should be merged conceptually with MsalTokenResponse...
A class to implement Base32Hex encoding
The different characters allowed in Base32 encoding.
This is a 32-character subset of the twenty-six letters A–Z and six digits 2–7.
https://en.wikipedia.org/wiki/Base32
Converts a byte array into a Base32 string.
The string to convert to Base32.
Whether or not to add RFC3548 '='-padding to the string.
A Base32 string.
https://tools.ietf.org/html/rfc3548#section-2.2 indicates padding MUST be added unless the reference to the RFC
tells us otherswise.
https://github.com/google/google-authenticator/wiki/Key-Uri-Format indicates that padding SHOULD be omitted.
To meet both requirements, you can omit padding when required.
Converts a Base32 string into the corresponding byte array, using 5 bits per character.
The Base32 String
A byte array containing the properly encoded bytes.
Given that we want to be able to migrate to CacheV2 with confidence, we want the existing cache
infrastructure to work and be able to test the new cache. This interface acts as the adapter
between the product and the particular cache version being used.
Once we've fully moved to the V2 cache, the goal is that this adapter infra will be removed
and the implementation within this class for the V2 cache will move into the product code directly.
This is the object we will serialize (using StorageJson* classes for specific field names) for Account information.
If you're modifying this object and the related (de)serialization, you're modifying the cache persistence
model and need to ensure it's compatible and compliant with the other cache implementations.
This is the object we will serialize (using StorageJson* classes for specific field names) for Credential information.
Credentials include Access Tokens, Refresh Tokens, etc.
If you're modifying this object and the related (de)serialization, you're modifying the cache persistence
model and need to ensure it's compatible and compliant with the other cache implementations.
This class contains the methods for encoding/decoding our object representations of cache data.
If you're modifying this class, you're updating the schema persistence behavior so ensure you're
aligned with the other cache schema models.
Contains the results of one token acquisition operation.
Creates result returned from AcquireToken. Except in advanced scenarios related to token caching, you do not need to create any instance of AuthenticationResult.
Type of the Access Token returned
The Access Token requested
The point in time in which the Access Token returned in the AccessToken property ceases to be valid
Creates result returned from AcquireToken. Except in advanced scenarios related to token caching, you do not need to create any instance of AuthenticationResult.
Type of the Access Token returned
The Access Token requested
The point in time in which the Access Token returned in the AccessToken property ceases to be valid
The point in time in which the Access Token returned in the AccessToken property ceases to be valid
Gets the type of the Access Token returned.
Gets the Access Token requested.
Gets the point in time in which the Access Token returned in the AccessToken property ceases to be valid.
This value is calculated based on current UTC time measured locally and the value expiresIn received from the service.
Gets the point in time in which the Access Token returned in the AccessToken property ceases to be valid in ADAL's extended LifeTime.
This value is calculated based on current UTC time measured locally and the value ext_expiresIn received from the service.
Gives information to the developer whether token returned is during normal or extended lifetime.
Gets an identifier for the tenant the token was acquired from. This property will be null if tenant information is not returned by the service.
Gets user information including user Id. Some elements in UserInfo might be null if not returned by the service.
Gets the entire Id Token if returned by the service or null if no Id Token is returned.
Gets the authority that has issued the token.
Creates authorization header from authentication result.
Created authorization header
Gets the Refresh Token associated with the requested Access Token. Note: not all operations will return a Refresh Token.
Gets a value indicating whether the refresh token can be used for requesting access token for other resources.
Serializes the object to a JSON string
Deserialized authentication result
Serializes the object to a JSON string
Serialized authentication result
Determines what type of subject the token was issued for.
User
Client
UserPlusClient: This is for confidential clients used in middle tier.
can be used with Linq to access items from the TokenCache dictionary.
Determines whether the specified object is equal to the current object.
true if the specified object is equal to the current object; otherwise, false.
The object to compare with the current object. 2
Determines whether the specified TokenCacheKey is equal to the current object.
true if the specified TokenCacheKey is equal to the current object; otherwise, false.
The TokenCacheKey to compare with the current object. 2
Returns the hash code for this TokenCacheKey.
A 32-bit signed integer hash code.
Contains information of a single user. This information is used for token cache lookup. Also if created with userId, userId is sent to the service when login_hint is accepted.
Create user information for token cache lookup
Create user information copied from another UserInfo object
Gets identifier of the user authenticated during token acquisition.
Gets a displayable value in UserPrincipalName (UPN) format. The value can be null.
Gets given name of the user if provided by the service. If not, the value is null.
Gets family name of the user if provided by the service. If not, the value is null.
Gets the time when the password expires. Default value is 0.
Gets the url where the user can change the expiring password. The value can be null.
Gets identity provider if returned by the service. If not, the value is null.
Data class, common to ADAL.NET and MSAL.NET V2 used for the token cache serialization
in a dual format: the ADAL V3 cache format, and the new unified cache format, common
to ADAL.NET 4.x, MSAL.NET 2.x and other libraries in the same Operating System
(for instance ADAL and MSAL for objective C in iOS)
Array of bytes containing the serialized cache in ADAL.NET V3 format
Array of bytes containing the serialized MSAL.NET V2 cache
Returns a tuple where
Item1 is a map of ClientInfo -> AdalUserInfo for those users that have ClientInfo
Item2 is a list of AdalUserInfo for those users that do not have ClientInfo
Algorithm to delete:
DisplayableId cannot be null
Removal is scoped by enviroment and clientId;
If accountId != null then delete everything with the same clientInfo
otherwise, delete everything with the same displayableId
Notes:
- displayableId can change rarely
- ClientCredential Grant uses the app token cache, not the user token cache, so this algorithm does not apply
(nor will GetAccounts / RemoveAccount work)
String comprised of scopes that have been lowercased and ordered.
Normalization is important when creating unique keys.
Apps shouldn't rely on its presence, unless the app itself wrote it. It means that SDK should translate absense of app metadata to the default values of its required fields.
Other apps that don't support app metadata should never remove existing app metadata.
App metadata is a non-removable entity.It means there's no need for a public API to remove app metadata, and it shouldn't be removed when removeAccount is called.
App metadata is a non-secret entity. It means that it cannot store any secret information, like tokens, nor PII, like username etc.
App metadata can be extended by adding additional fields when required.Absense of any non-required field should translate to default values for those field.
mandatory
mandatory
The family id of which this application is part of. This is an internal feature and there is currently a single app,
with id 1. If familyId is empty, it means an app is not part of a family. A missing entry means unkown status.
Important: order matters. This MUST be the last one called since it will extract the
remaining fields out.
Optional. A value here means the token in an FRT.
Family Refresh Tokens, can be used for all clients part of the family
An object representing the key of the token cache AT dictionary. The
format of the key is not important for this library, as long as it is unique.
The format of the key is platform dependent
An object representing the key of the token cache Account dictionary. The
format of the key is not important for this library, as long as it is unique.
App metadata is an optional entity in cache and can be used by apps to store additional metadata applicable to a particular client.
Ex: appmetadata-login.microsoftonline.com-b6c69a37-df96-4db0-9088-2ab96e1d8215
An object representing the key of the token cache Id Token dictionary. The
format of the key is not important for this library, as long as it is unique.
An object representing the key of the token cache RT dictionary. The
format of the key is not important for this library, as long as it is unique.
Normal RTs are scoped by env, account_id and clientID
FRTs are scoped by env, account_id and familyID (clientID exists, but is irrelevant)
Constructor
Can be null or empty, denoting a normal RT. A value signifies an FRT.
The dictionary serializer does not handle Unknown Nodes
Abstract class containing common API methods and properties. Both and
extend this class. For details see https://aka.ms/msal-net-client-applications
Abstract class containing common API methods and properties. Both and
extend this class. For details see https://aka.ms/msal-net-client-applications
Default Authority used for interactive calls.
Details on the configuration of the ClientApplication for debugging purposes.
Gets the URL of the authority, or security token service (STS) from which MSAL.NET will acquire security tokens
The return value of this property is either the value provided by the developer in the constructor of the application, or otherwise
the value of the static member (that is https://login.microsoftonline.com/common/)
User token cache. This case holds id tokens, access tokens and refresh tokens for accounts. It's used
and updated silently if needed when calling
or one of the overrides of .
It is updated by each AcquireTokenXXX method, with the exception of AcquireTokenForClient which only uses the application
cache (see IConfidentialClientApplication).
On .NET Framework and .NET Core you can also customize the token cache serialization.
See https://aka.ms/msal-net-token-cache-serialization. This is taken care of by MSAL.NET on other platforms.
Returns all the available accounts in the user token cache for the application.
Get the by its identifier among the accounts available in the token cache.
Account identifier. The identifier is typically the
value of the property of .
You typically get the account id from an by using the property>
Removes all tokens in the cache for the specified account.
Instance of the account that needs to be removed
[V3 API] Attempts to acquire an access token for the from the user token cache.
See https://aka.ms/msal-net-acquiretokensilent for more details
Scopes requested to access a protected API
Account for which the token is requested. This parameter is optional.
If nothing is passed and no Account or LoginHint are provided, then, if one, and only
one, account is in the cache, that account is used. Otherwise, an exception will be thrown.
An used to build the token request, adding optional
parameters
will be thrown in the case where an interaction is required with the end user of the application,
for instance, if no refresh token was in the cache, or the user needs to consent, or re-sign-in (for instance if the password expired),
or the user needs to perform two factor authentication
The access token is considered a match if it contains at least all the requested scopes. This means that an access token with more scopes than
requested could be returned. If the access token is expired or close to expiration - within a 5 minute window -
then the cached refresh token (if available) is used to acquire a new access token by making a silent network call.
You can set additional parameters by chaining the builder with:
or one of its
overrides to request a token for a different authority than the one set at the application construction
to bypass the user token cache and
force refreshing the token, as well as
to
specify extra query parameters
[V3 API] Attempts to acquire an access token for the
having the match the given , from the user token cache.
See https://aka.ms/msal-net-acquiretokensilent for more details
Scopes requested to access a protected API
Typically the username, in UPN format, e.g. johnd@contoso.com
An used to build the token request, adding optional
parameters
will be thrown in the case where an interaction is required with the end user of the application,
for instance, if no refresh token was in the cache, or the user needs to consent, or re-sign-in (for instance if the password expired),
or the user needs to perform two factor authentication
If multiple match the , or if there are no matches, an exception is thrown.
The access token is considered a match if it contains at least all the requested scopes. This means that an access token with more scopes than
requested could be returned. If the access token is expired or close to expiration - within a 5 minute window -
then the cached refresh token (if available) is used to acquire a new access token by making a silent network call.
You can set additional parameters by chaining the builder with:
or one of its
overrides to request a token for a different authority than the one set at the application construction
to bypass the user token cache and
force refreshing the token, as well as
to
specify extra query parameters
In MSAL 1.x returned an enumeration of . From MSAL 2.x, use instead.
See https://aka.ms/msal-net-2-released for more details.
In MSAL 1.x, return a user from its identifier. From MSAL 2.x, use instead.
See https://aka.ms/msal-net-2-released for more details.
Identifier of the user to retrieve
the user in the cache with the identifier passed as an argument
In MSAL 1.x removed a user from the cache. From MSAL 2.x, use instead.
See https://aka.ms/msal-net-2-released for more details.
User to remove from the cache
Identifier of the component (libraries/SDK) consuming MSAL.NET.
This will allow for disambiguation between MSAL usage by the app vs MSAL usage by component libraries.
Sets or Gets a custom query parameters that may be sent to the STS for dogfood testing or debugging. This is a string of segments
of the form key=value separated by an ampersand character.
Unless requested otherwise, this parameter should not be set by application developers as it may have adverse effect on the application.
Gets/sets a boolean value telling the application if the authority needs to be verified against a list of known authorities. The default
value is true. It should currently be set to false for Azure AD B2C authorities as those are customer specific
(a list of known B2C authorities cannot be maintained by MSAL.NET). This property can be set just after the construction of the application
and before an operation acquiring a token or interacting with the STS.
The redirect URI (also known as Reply URI or Reply URL), is the URI at which Azure AD will contact back the application with the tokens.
This redirect URI needs to be registered in the app registration (https://aka.ms/msal-net-register-app).
In MSAL.NET, define the following default RedirectUri values:
- urn:ietf:wg:oauth:2.0:oob for desktop (.NET Framework and .NET Core) applications
- msal{ClientId} for Xamarin iOS and Xamarin Android (as this will be used by the system web browser by default on these
platforms to call back the application)
These default URIs could change in the future.
In , this can be the URL of the Web application / Web API.
This is especially important when you deploy an application that you have initially tested locally;
you then need to add the reply URL of the deployed application in the application registration portal
Gets the Client ID (also known as Application ID) of the application as registered in the application registration portal (https://aka.ms/msal-net-register-app)
and as passed in the constructor of the application
[V2 API] Attempts to acquire an access token for the from the user token cache, with advanced parameters controlling network call.
Scopes requested to access a protected API
Account for which the token is requested.
Specific authority for which the token is requested. Passing a different value than configured in the application constructor
narrows down the selection to a specific tenant. This does not change the configured value in the application. This is specific
to applications managing several accounts (like a mail client with several mailboxes)
If true, ignore any access token in the cache and attempt to acquire new access token
using the refresh token for the account if this one is available. This can be useful in the case when the application developer wants to make
sure that conditional access policies are applied immediately, rather than after the expiration of the access token
An containing the requested access token
can be thrown in the case where an interaction is required with the end user of the application,
for instance, if no refresh token was in the cache,a or the user needs to consent, or re-sign-in (for instance if the password expired),
or performs two factor authentication
The access token is considered a match if it contains at least all the requested scopes. This means that an access token with more scopes than
requested could be returned as well. If the access token is expired or close to expiration (within a 5 minute window),
then the cached refresh token (if available) is used to acquire a new access token by making a silent network call.
See https://aka.ms/msal-net-acquiretokensilent for more details
[V2 API] Attempts to acquire an access token for the from the user token cache.
Scopes requested to access a protected API
Account for which the token is requested.
An containing the requested token
can be thrown in the case where an interaction is required with the end user of the application,
for instance so that the user consents, or re-signs-in (for instance if the password expired), or performs two factor authentication
The access token is considered a match if it contains at least all the requested scopes.
This means that an access token with more scopes than requested could be returned as well. If the access token is expired or
close to expiration (within a 5 minute window), then the cached refresh token (if available) is used to acquire a new access token by making a silent network call.
See https://aka.ms/msal-net-acquiretokensilent for more details
Class to be used for confidential client applications (Web Apps, Web APIs, and daemon applications).
Confidential client applications are typically applications which run on servers (Web Apps, Web API, or even service/daemon applications).
They are considered difficult to access, and therefore capable of keeping an application secret (hold configuration
time secrets as these values would be difficult for end users to extract).
A web app is the most common confidential client. The clientId is exposed through the web browser, but the secret is passed only in the back channel
and never directly exposed. For details see https://aka.ms/msal-net-client-applications
Acquires a security token from the authority configured in the app using the authorization code
previously received from the STS.
It uses the OAuth 2.0 authorization code flow (See https://aka.ms/msal-net-authorization-code).
It's usually used in Web Apps (for instance ASP.NET / ASP.NET Core Web apps) which sign-in users,
and can request an authorization code.
This method does not lookup the token cache, but stores the result in it, so it can be looked up
using other methods such as .
Scopes requested to access a protected API
The authorization code received from the service authorization endpoint.
A builder enabling you to add optional parameters before executing the token request
You can set optional parameters by chaining the builder with:
,
,
Acquires a token from the authority configured in the app, for the confidential client itself (in the name of no user)
using the client credentials flow. See https://aka.ms/msal-net-client-credentials.
scopes requested to access a protected API. For this flow (client credentials), the scopes
should be of the form "{ResourceIdUri/.default}" for instance https://management.azure.net/.default or, for Microsoft
Graph, https://graph.microsoft.com/.default as the requested scopes are defined statically with the application registration
in the portal, and cannot be overriden in the application.
A builder enabling you to add optional parameters before executing the token request
You can also chain the following optional parameters:
Acquires an access token for this application (usually a Web API) from the authority configured in the application,
in order to access another downstream protected Web API on behalf of a user using the OAuth 2.0 On-Behalf-Of flow.
See https://aka.ms/msal-net-on-behalf-of.
This confidential client application was itself called with a token which will be provided in the
userAssertion parameter.
Scopes requested to access a protected API
Instance of containing credential information about
the user on behalf of whom to get a token.
A builder enabling you to add optional parameters before executing the token request
You can also chain the following optional parameters:
Computes the URL of the authorization request letting the user sign-in and consent to the application accessing specific scopes in
the user's name. The URL targets the /authorize endpoint of the authority configured in the application.
This override enables you to specify a login hint and extra query parameter.
Scopes requested to access a protected API
A builder enabling you to add optional parameters before executing the token request to get the
URL of the STS authorization endpoint parametrized with the parameters
You can also chain the following optional parameters:
Application token cache. This case holds access tokens and refresh tokens for the application. It's maintained
and updated silently if needed when calling
On .NET Framework and .NET Core you can also customize the token cache serialization.
See https://aka.ms/msal-net-token-cache-serialization. This is taken care of by MSAL.NET on other platforms
[V2 API] Constructor for a confidential client application requesting tokens with the default authority ()
Client ID (also known as App ID) of the application as registered in the
application registration portal (https://aka.ms/msal-net-register-app)/. REQUIRED
URL where the STS will call back the application with the security token. REQUIRED
Credential, previously shared with Azure AD during the application registration and proving the identity
of the application. An instance of can be created either from an application secret, or a certificate. REQUIRED.
Token cache for saving user tokens. Can be set to null if the confidential client
application only uses the Client Credentials grants (that is requests token in its own name and not in the name of users).
Otherwise should be provided. REQUIRED
Token cache for saving application (that is client token). Can be set to null except if the application
uses the client credentials grants
See https://aka.ms/msal-net-client-applications for a description of confidential client applications (and public client applications)
Client credential grants are overrides of
See also for the V3 API way of building a confidential client application
with a builder pattern. It offers building the application from configuration options, and a more fluid way of providing parameters.
which
enables app developers to specify the authority
[V2 API] Constructor for a confidential client application requesting tokens with a specified authority
Client ID (also named Application ID) of the application as registered in the
application registration portal (https://aka.ms/msal-net-register-app)/. REQUIRED
Authority of the security token service (STS) from which MSAL.NET will acquire the tokens.
Usual authorities are:
- https://login.microsoftonline.com/tenant/, where tenant is the tenant ID of the Azure AD tenant
or a domain associated with this Azure AD tenant, in order to sign-in users of a specific organization only
- https://login.microsoftonline.com/common/ to sign-in users with any work and school accounts or Microsoft personal accounts
- https://login.microsoftonline.com/organizations/ to sign-in users with any work and school accounts
- https://login.microsoftonline.com/consumers/ to sign-in users with only personal Microsoft accounts(live)
Note that this setting needs to be consistent with what is declared in the application registration portal
URL where the STS will call back the application with the security token. REQUIRED
Credential, previously shared with Azure AD during the application registration and proving the identity
of the application. An instance of can be created either from an application secret, or a certificate. REQUIRED.
Token cache for saving user tokens. Can be set to null if the confidential client
application only uses the Client Credentials grants (that is requests token in its own name and not in the name of users).
Otherwise should be provided. REQUIRED
Token cache for saving application (that is client token). Can be set to null except if the application
uses the client credentials grants
See https://aka.ms/msal-net-client-applications for a description of confidential client applications (and public client applications)
Client credential grants are overrides of
See also for the V3 API way of building a confidential client application
with a builder pattern. It offers building the application from configuration options, and a more fluid way of providing parameters.
which
enables app developers to create a confidential client application requesting tokens with the default authority.
[V2 API] Acquires an access token for this application (usually a Web API) from the authority configured in the application, in order to access
another downstream protected Web API on behalf of a user using the OAuth 2.0 On-Behalf-Of flow. (See https://aka.ms/msal-net-on-behalf-of).
This confidential client application was itself called with a token which will be provided in the
userAssertion parameter.
Scopes requested to access a protected API
Instance of containing credential information about
the user on behalf of whom to get a token.
Authentication result containing a token for the requested scopes and account
for the on-behalf-of flow when specifying the authority
which is the corresponding V3 API.
[V2 API] Acquires an access token for this application (usually a Web API) from a specific authority, in order to access
another downstream protected Web API on behalf of a user (See https://aka.ms/msal-net-on-behalf-of).
This confidential client application was itself called with a token which will be provided in the
userAssertion parameter.
Scopes requested to access a protected API
Instance of containing credential information about
the user on behalf of whom to get a token.
Specific authority for which the token is requested. Passing a different value than configured does not change the configured value
Authentication result containing a token for the requested scopes and account
for the on-behalf-of flow without specifying the authority
which is the corresponding V3 API.
[V2 API] Acquires an access token for this application (usually a Web API) from the authority configured in the application, in order to access
another downstream protected Web API on behalf of a user using the OAuth 2.0 On-Behalf-Of flow. (See https://aka.ms/msal-net-on-behalf-of).
This confidential client application was itself called with a token which will be provided in the
userAssertion parameter.
This override sends the certificate, which helps certificate rotation in Azure AD
Scopes requested to access a protected API
Instance of containing credential information about
the user on behalf of whom to get a token.
Authentication result containing a token for the requested scopes and account
which is the corresponding V3 API
[V2 API] Acquires an access token for this application (usually a Web API) from a specific authority, in order to access
another downstream protected Web API on behalf of a user (See https://aka.ms/msal-net-on-behalf-of).
This confidential client application was itself called with a token which will be provided in the
This override sends the certificate, which helps certificate rotation in Azure AD
userAssertion parameter.
Scopes requested to access a protected API
Instance of containing credential information about
the user on behalf of whom to get a token.
Specific authority for which the token is requested. Passing a different value than configured does not change the configured value
Authentication result containing a token for the requested scopes and account
which is the corresponding V3 API
[V2 API] Acquires a security token from the authority configured in the app using the authorization code previously received from the STS. It uses
the OAuth 2.0 authorization code flow (See https://aka.ms/msal-net-authorization-code).
It's usually used in Web Apps (for instance ASP.NET / ASP.NET Core Web apps) which sign-in users, and therefore receive an authorization code.
This method does not lookup the token cache, but stores the result in it, so it can be looked up using other methods
such as .
The authorization code received from service authorization endpoint.
Scopes requested to access a protected API
Authentication result containing token of the user for the requested scopes
which is the corresponding V2 API
[V3 API] Acquires a token from the authority configured in the app, for the confidential client itself (in the name of no user)
using the client credentials flow. (See https://aka.ms/msal-net-client-credentials)
scopes requested to access a protected API. For this flow (client credentials), the scopes
should be of the form "{ResourceIdUri/.default}" for instance https://management.azure.net/.default or, for Microsoft
Graph, https://graph.microsoft.com/.default as the requested scopes are really defined statically at application registration
in the portal, and cannot be overriden in the application. See also
Authentication result containing the token of the user for the requested scopes
[V2 API] Acquires a token from the authority configured in the app, for the confidential client itself (in the name of no user)
using the client credentials flow. (See https://aka.ms/msal-net-client-credentials)
Scopes requested to access a protected API. For this flow (client credentials), the scopes
should be of the form "{ResourceIdUri/.default}" for instance https://management.azure.net/.default or, for Microsoft
Graph, https://graph.microsoft.com/.default as the requested scopes are really defined statically at application registration
in the portal, and cannot be overriden in the application
If true, API will ignore the access token in the cache and attempt to acquire new access token using client credentials.
This override can be used in case the application knows that conditional access policies changed
Authentication result containing token of the user for the requested scopes
which is the corresponding V3 API
[V2 API] Acquires token from the service for the confidential client using the client credentials flow. (See https://aka.ms/msal-net-client-credentials)
This method enables application developers to achieve easy certificate roll-over
in Azure AD: this method will send the public certificate to Azure AD
along with the token request, so that Azure AD can use it to validate the subject name based on a trusted issuer policy.
This saves the application admin from the need to explicitly manage the certificate rollover
(either via portal or powershell/CLI operation)
Scopes requested to access a protected API
Authentication result containing application token for the requested scopes
which is the corresponding V3 API
[V2 API] Acquires token from the service for the confidential client using the client credentials flow. (See https://aka.ms/msal-net-client-credentials)
This method attempts to look up valid access token in the cache unless is true
This method enables application developers to achieve easy certificate roll-over
in Azure AD: this method will send the public certificate to Azure AD
along with the token request, so that Azure AD can use it to validate the subject name based on a trusted issuer policy.
This saves the application admin from the need to explicitly manage the certificate rollover
(either via portal or powershell/CLI operation)
Scopes requested to access a protected API
If TRUE, API will ignore the access token in the cache and attempt to acquire new access token using client credentials
Authentication result containing application token for the requested scopes
which is the corresponding V3 API
Acquires an access token from an existing refresh token and stores it and the refresh token into
the application user token cache, where it will be available for further AcquireTokenSilentAsync calls.
This method can be used in migration to MSAL from ADAL v2 and in various integration
scenarios where you have a RefreshToken available.
(see https://aka.ms/msal-net-migration-adal2-msal2)
Scope to request from the token endpoint.
Setting this to null or empty will request an access token, refresh token and ID token with default scopes
The refresh token (for example previously obtained from ADAL 2.x)
[V2 API] Computes the URL of the authorization request letting the user sign-in and consent to the application accessing specific scopes in
the user's name. The URL targets the /authorize endpoint of the authority configured in the application.
This override enables you to specify a login hint and extra query parameter.
Scopes requested to access a protected API
Identifier of the user. Generally a UPN. This can be empty
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
URL of the authorize endpoint including the query parameters.
which is the corresponding V3 API
[V2 API] Computes the URL of the authorization request letting the user sign-in and consent to the application accessing specific scopes in
the user's name. The URL targets the /authorize endpoint of the authority specified as the parameter.
This override enables you to specify a redirectUri, login hint extra query parameters, extra scope to consent (which are not for the
same resource as the ), and an authority.
Scopes requested to access a protected API (a resource)
Address to return to upon receiving a response from the authority.
Identifier of the user. Generally a UPN.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
Scopes for additional resources (other than the resource for which are requested),
which a developer can request the user to consent to upfront.
Specific authority for which the token is requested. Passing a different value than configured does not change the configured value
URL of the authorize endpoint including the query parameters.
which is the corresponding V3 API
MSAL Flavor: .NET or WinRT
MSAL assembly version
CPU platform with x86, x64 or ARM as value
Version of the operating system. This will not be sent on WinRT
Device model. This will not be sent on .NET
This class adds additional query parameters or headers to the requests sent to STS. This can help us in
collecting statistics and potentially on diagnostics.
This object is returned as part of the device code flow
and has information intended to be shown to the user about
where to navigate to login and what the device code needs
to be entered on that device.
See https://aka.ms/msal-device-code-flow.
and
the other overrides
User code returned by the service
Device code returned by the service
Verification URL where the user must navigate to authenticate using the device code and credentials.
Time when the device code will expire.
Polling interval time to check for completion of authentication flow.
User friendly text response that can be used for display purpose.
Identifier of the client requesting device code.
List of the scopes that would be held by token.
Extension method enabling MSAL.NET extenders for public client applications to set a custom web ui
that will let the user sign-in with Azure AD, present consent if needed, and get back the authorization
code
Builder for an AcquireTokenInteractive
Customer implementation for the Web UI
the builder to be able to chain .With methods
Interface that an MSAL.NET extender can implement to provide their own Web UI in public client applications
to sign-in user and have them consented part of the Authorization code flow.
MSAL.NET provides an embedded web view for Windows and Mac, but there are other scenarios not yet supported.
This extensibility point enables them to provide such UI in a secure way
Method called by MSAL.NET to delegate the authentication code Web with with the STS
URI computed by MSAL.NET that will let the UI extension
navigate to the STS authorization endpoint in order to sign-in the user and have them consent
The redirect Uri that was configured. The auth code will be appended to this redirect uri and the browser
will redirect to it.
The cancellation token to which you should respond to.
See https://docs.microsoft.com/en-us/dotnet/standard/parallel-programming/task-cancellation for details.
The URI returned back from the STS authorization endpoint. This URI contains a code=CODE
parameters that MSAL.NET will extract and redeem.
The authorizationUri"/> is crafted to
leverage PKCE in order to protect the token from a man in the middle attack.
Only MSAL.NET can redeem the code.
In the event of cancellation, the implementer should return OperationCanceledException.
We invoke this class from different threads and they all use the same HttpClient.
To prevent race conditions, make sure you do not get / set anything on HttpClient itself,
instead rely on HttpRequest objects which are thread specific.
In particular, do not change any properties on HttpClient such as BaseAddress, buffer sizes and Timeout. You should
also not access DefaultRequestHeaders because the getters are not thread safe (use HttpRequestMessage.Headers instead).
Performs the POST request just like
but does not throw a ServiceUnavailable service exception. Instead, it returns the associated
with the request.
Check common redirect uri problems.
Optionally check that the redirect uri is not the OAuth2 standard redirect uri urn:ietf:wg:oauth:2.0:oob
when using a system browser, because the browser cannot redirect back to the app.
The IAccount interface represents information about a single account.
The same user can be present in different tenants, that is, a user can have multiple accounts.
An IAccount is returned in the . property, and can be used as parameters
of PublicClientApplication and ConfidentialClientApplication methods acquiring tokens such as
Gets a string containing the displayable value in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com.
This can be null.
This property replaces the DisplayableId property of IUser in previous versions of MSAL.NET
Gets a string containing the identity provider for this account, e.g. login.microsoftonline.com.
This property replaces the IdentityProvider property of IUser in previous versions of MSAL.NET
except that IdentityProvider was a URL with information about the tenant (in addition to the cloud environment), whereas Environment is only the
AccountId of the home account for the user. This uniquely identifies the user across AAD tenants.
Can be null, for example if this account was migrated to MSAL.NET from ADAL.NET v3's token cache
Acquires an access token from an existing refresh token and stores it, and the refresh token, in
the user token cache, where it will be available for further AcquireTokenSilent calls.
This method can be used in migration to MSAL from ADAL v2, and in various integration
scenarios where you have a RefreshToken available.
See https://aka.ms/msal-net-migration-adal2-msal2.
Scope to request from the token endpoint.
Setting this to null or empty will request an access token, refresh token and ID token with default scopes
The refresh token from ADAL 2.x
A builder enabling you to add optional parameters before executing the token request
Acquires an access token from an existing refresh token and stores it and the refresh token into
the user token cache, where it will be available for further AcquireTokenSilentAsync calls.
This method can be used in migration to MSAL from ADAL v2 and in various integration
scenarios where you have a RefreshToken available.
(see https://aka.ms/msal-net-migration-adal2-msal2)
Scope to request from the token endpoint.
Setting this to null or empty will request an access token, refresh token and ID token with default scopes
The refresh token from ADAL 2.x
Abstract class containing common API methods and properties. Both and
extend this class. For details see https://aka.ms/msal-net-client-applications.
Interface defining common API methods and properties. Both and
extend this class. For details see https://aka.ms/msal-net-client-applications
Details on the configuration of the ClientApplication for debugging purposes.
User token cache. This case holds id tokens, access tokens and refresh tokens for accounts. It's used
and updated silently if needed when calling
It is updated by each AcquireTokenXXX method, with the exception of AcquireTokenForClient which only uses the application
cache (see IConfidentialClientApplication).
On .NET Framework and .NET Core you can also customize the token cache serialization.
See https://aka.ms/msal-net-token-cache-serialization. This is taken care of by MSAL.NET on other platforms.
Gets the URL of the authority, or the security token service (STS) from which MSAL.NET will acquire security tokens.
The return value of this propety is either the value provided by the developer in the constructor of the application, or otherwise
the value of the static member (that is https://login.microsoftonline.com/common/)
Returns all the available accounts in the user token cache for the application.
Get the by its identifier among the accounts available in the token cache.
Account identifier. The value of the identifier will probably have been stored value from the
value of the property of .
You typically get the account id from an by using the property>
Attempts to acquire an access token for the from the user token cache,
with advanced parameters controlling the network call. See https://aka.ms/msal-net-acquiretokensilent for more details
Scopes requested to access a protected API
Account for which the token is requested.
An used to build the token request, adding optional
parameters
will be thrown in the case where an interaction is required with the end user of the application,
for instance, if no refresh token was in the cache,a or the user needs to consent, or re-sign-in (for instance if the password expired),
or the user needs to perform two factor authentication
The access token is considered a match if it contains at least all the requested scopes. This means that an access token with more scopes than
requested could be returned as well. If the access token is expired or close to expiration (within a 5 minute window),
then the cached refresh token (if available) is used to acquire a new access token by making a silent network call.
See also the additional parameters that you can set chain:
or one of its
overrides to request a token for a different authority than the one set at the application construction
to bypass the user token cache and
force refreshing the token, as well as
to
specify extra query parameters
Attempts to acquire an access token for the from the user token cache,
with advanced parameters controlling the network call. See https://aka.ms/msal-net-acquiretokensilent for more details
Scopes requested to access a protected API
Typically the username, in UPN format, e.g. johnd@contoso.com
An used to build the token request, adding optional
parameters
will be thrown in the case where an interaction is required with the end user of the application,
for instance, if no refresh token was in the cache,a or the user needs to consent, or re-sign-in (for instance if the password expired),
or the user needs to perform two factor authentication
The access token is considered a match if it contains at least all the requested scopes. This means that an access token with more scopes than
requested could be returned as well. If the access token is expired or close to expiration (within a 5 minute window),
then the cached refresh token (if available) is used to acquire a new access token by making a silent network call.
See also the additional parameters that you can set chain:
or one of its
overrides to request a token for a different authority than the one set at the application construction
to bypass the user token cache and
force refreshing the token, as well as
to
specify extra query parameters
Removes all tokens in the cache for the specified account.
instance of the account that needs to be removed
In MSAL 1.x returned an enumeration of . From MSAL 2.x, use instead.
See https://aka.ms/msal-net-2-released for more details.
In MSAL 1.x, return a user from its identifier. From MSAL 2.x, use instead.
See https://aka.ms/msal-net-2-released for more details.
Identifier of the user to retrieve
the user in the cache with the identifier passed as an argument
In MSAL 1.x removed a user from the cache. From MSAL 2.x, use instead.
See https://aka.ms/msal-net-2-released for more details.
User to remove from the cache
Identifier of the component (libraries/SDK) consuming MSAL.NET.
This will allow for disambiguation between MSAL usage by the app vs MSAL usage by component libraries.
Sets or Gets a custom query parameters that may be sent to the STS for dogfood testing or debugging. This is a string of segments
of the form key=value separated by an ampersand character.
Unless requested otherwise, this parameter should not be set by application developers as it may have adverse effect on the application.
Gets a boolean value telling the application if the authority needs to be verified against a list of known authorities. The default
value is true. It should currently be set to false for Azure AD B2C authorities as those are customer specific
(a list of known B2C authorities cannot be maintained by MSAL.NET)
The redirect URI (also known as Reply URI or Reply URL), is the URI at which Azure AD will contact back the application with the tokens.
This redirect URI needs to be registered in the app registration (https://aka.ms/msal-net-register-app)
In MSAL.NET, define the following default RedirectUri values:
- urn:ietf:wg:oauth:2.0:oob for desktop (.NET Framework and .NET Core) applications
- msal{ClientId} for Xamarin iOS and Xamarin Android (as this will be used by the system web browser by default on these
platforms to call back the application)
These default URIs could change in the future.
In , this can be the URL of the Web application / Web API.
This is especially important when you deploy an application that you have initially tested locally;
you then need to add the reply URL of the deployed application in the application registration portal.
Attempts to acquire an access token for the from the user token cache.
Scopes requested to access a protected API
Account for which the token is requested.
An containing the requested token
can be thrown in the case where an interaction is required with the end user of the application,
for instance so that the user consents, or re-signs-in (for instance if the password expirred), or performs two factor authentication
The access token is considered a match if it contains at least all the requested scopes.
This means that an access token with more scopes than requested could be returned as well. If the access token is expired or
close to expiration (within 5 minute window), then the cached refresh token (if available) is used to acquire a new access token by making a silent network call.
See https://aka.ms/msal-net-acuiretokensilent for more details
Attempts to acquire and access token for the from the user token cache, with advanced parameters making a network call.
Scopes requested to access a protected API
Account for which the token is requested.
Specific authority for which the token is requested. Passing a different value than configured in the application constructor
narrows down the selection of tenants for which to get a tenant, but does not change the configured value
If true, the will ignore the access token in the cache and attempt to acquire new access token
using the refresh token for the account if this one is available. This can be useful in the case when the application developer wants to make
sure that conditional access policies are applies immediately, rather than after the expiration of the access token
An containing the requested token
can be thrown in the case where an interaction is required with the end user of the application,
for instance, if no refresh token was in the cache, or the user needs to consents, or re-sign-in (for instance if the password expirred),
or performs two factor authentication
The access token is considered a match if it contains at least all the requested scopes. This means that an access token with more scopes than
requested could be returned as well. If the access token is expired or close to expiration (within 5 minute window),
then the cached refresh token (if available) is used to acquire a new access token by making a silent network call.
See https://aka.ms/msal-net-acquiretokensilent for more details
Gets the Client ID (also known as Application ID) of the application as registered in the application registration portal (https://aka.ms/msal-net-register-app)
and as passed in the constructor of the application.
Component to be used with confidential client applications like Web Apps/API.
Component to be used with confidential client applications like Web Apps/API.
Application token cache. This case holds access tokens and refresh tokens for the application. It's maintained
and updated silently if needed when calling
On .NET Framework and .NET Core you can also customize the token cache serialization.
See https://aka.ms/msal-net-token-cache-serialization. This is taken care of by MSAL.NET on other platforms.
[V3 API] Acquires a security token from the authority configured in the app using the authorization code
previously received from the STS.
It uses the OAuth 2.0 authorization code flow (See https://aka.ms/msal-net-authorization-code).
It's usually used in Web Apps (for instance ASP.NET / ASP.NET Core Web apps) which sign-in users,
and can request an authorization code.
This method does not lookup the token cache, but stores the result in it, so it can be looked up
using other methods such as .
Scopes requested to access a protected API
The authorization code received from the service authorization endpoint.
A builder enabling you to add optional parameters before executing the token request
You can set optional parameters by chaining the builder with:
,
,
[V3 API] Acquires a token from the authority configured in the app, for the confidential client itself (in the name of no user)
using the client credentials flow. See https://aka.ms/msal-net-client-credentials.
scopes requested to access a protected API. For this flow (client credentials), the scopes
should be of the form "{ResourceIdUri/.default}" for instance https://management.azure.net/.default or, for Microsoft
Graph, https://graph.microsoft.com/.default as the requested scopes are really defined statically at application registration
in the portal, and cannot be overriden in the application.
A builder enabling you to add optional parameters before executing the token request
You can also chain the following optional parameters:
[V3 API] Acquires an access token for this application (usually a Web API) from the authority configured in the application,
in order to access another downstream protected Web API on behalf of a user using the OAuth 2.0 On-Behalf-Of flow.
See https://aka.ms/msal-net-on-behalf-of.
This confidential client application was itself called with a token which will be provided in the
userAssertion parameter.
Scopes requested to access a protected API
Instance of containing credential information about
the user on behalf of whom to get a token.
A builder enabling you to add optional parameters before executing the token request
You can also chain the following optional parameters:
[V3 API] Computes the URL of the authorization request letting the user sign-in and consent to the application accessing specific scopes in
the user's name. The URL targets the /authorize endpoint of the authority configured in the application.
This override enables you to specify a login hint and extra query parameter.
Scopes requested to access a protected API
A builder enabling you to add optional parameters before executing the token request to get the
URL of the STS authorization endpoint parameterized with the parameters
You can also chain the following optional parameters:
[V3 API] Acquires token using On-Behalf-Of flow. (See https://aka.ms/msal-net-on-behalf-of)
Array of scopes requested for resource
Instance of UserAssertion containing user's token.
Authentication result containing token of the user for the requested scopes
[V3 API] Acquires token using On-Behalf-Of flow. (See https://aka.ms/msal-net-on-behalf-of)
Array of scopes requested for resource
Instance of UserAssertion containing user's token.
Specific authority for which the token is requested. Passing a different value than configured does not change the configured value
Authentication result containing token of the user for the requested scopes
[V2 API] Acquires security token from the authority using authorization code previously received.
This method does not lookup token cache, but stores the result in it, so it can be looked up using other methods such as .
The authorization code received from service authorization endpoint.
Array of scopes requested for resource
Authentication result containing token of the user for the requested scopes
[V2 API] Acquires token from the service for the confidential client. This method attempts to look up valid access token in the cache.
Array of scopes requested for resource
Authentication result containing application token for the requested scopes
[V2 API] Acquires token from the service for the confidential client. This method attempts to look up valid access token in the cache.
Array of scopes requested for resource
If TRUE, API will ignore the access token in the cache and attempt to acquire new access token using client credentials
Authentication result containing application token for the requested scopes
[V2 API] URL of the authorize endpoint including the query parameters.
Array of scopes requested for resource
Identifier of the user. Generally a UPN.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority. The parameter can be null.
URL of the authorize endpoint including the query parameters.
[V2 API] Gets URL of the authorize endpoint including the query parameters.
Array of scopes requested for resource
Address to return to upon receiving a response from the authority.
Identifier of the user. Generally a UPN.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority. The parameter can be null.
Array of scopes for which a developer can request consent upfront.
Specific authority for which the token is requested. Passing a different value than configured does not change the configured value
URL of the authorize endpoint including the query parameters.
Validates the authority if required and returns the OpenId discovery endpoint
for the given tenant. This is specific to each authority type.
For platforms that do not support a broker (net desktop, net core, UWP, netstandard)
Certificate for a client assertion. This class is used in one of the constructors of . ClientCredential
is itself used in the constructor of to pass to Azure AD a shared secret (registered in the
Azure AD application)
for the constructor of
with a certificate, and
To understand the difference between public client applications and confidential client applications, see https://aka.ms/msal-net-client-applications
Constructor to create certificate information used in
to instantiate a used in the constructors of
The X509 certificate used as credentials to prove the identity of the application to Azure AD.
Gets minimum X509 certificate key size in bits
Gets the X509 certificate used as credentials to prove the identity of the application to Azure AD.
Meant to be used in confidential client applications, an instance of ClientCredential is passed
to the constructors of ()
as credentials proving that the application (the client) is what it claims it is. These credentials can be
either a client secret (an application password) or a certificate.
This class has one constructor for each case.
These credentials are added in the application registration portal (in the secret section).
Constructor of client (application) credentials from a
contains information about the certificate previously shared with AAD at application
registration to prove the identity of the application (the client) requesting the tokens.
Constructor of client (application) credentials from a client secret, also known as the application password.
Secret string previously shared with AAD at application registration to prove the identity
of the application (the client) requesting the tokens.
Determines whether or not the cached client assertion can be used again for the next authentication request by
checking it's
values against incoming request parameters.
Returns true if the previously cached client assertion is valid
Handles requests that are non-interactive. Currently MSAL supports Integrated Windows Auth (IWA).
Base class for all flows. Use by implementing
and optionally calling protected helper methods such as SendTokenRequestAsync, which know
how to use all params when making the request.
Handles requests that are non-interactive. Currently MSAL supports Integrated Windows Auth.
Interface to be used with desktop or mobile applications (Desktop / UWP / Xamarin.iOS / Xamarin.Android).
public client applications are not trusted to safely keep application secrets, and therefore they only access Web APIs in the name of the user only.
For details see https://aka.ms/msal-net-client-applications.
Interface defining common API methods and properties.
For details see https://aka.ms/msal-net-client-applications
Tells if the application can use the system web browser, therefore getting single-sign-on with web applications.
By default, MSAL will try to use a system browser on the mobile platforms, if it is available.
See https://aka.ms/msal-net-uses-web-browser.
Interactive request to acquire a token for the specified scopes. The interactive window will be parented to the specified
window. The user will be required to select an account
Scopes requested to access a protected API
A builder enabling you to add optional parameters before executing the token request
The user will be signed-in interactively if needed,
and will consent to scopes and do multi-factor authentication if such a policy was enabled in the Azure AD tenant.
You can also pass optional parameters by calling:
to specify the user experience
when signing-in, to specify
if you want to use the embedded web browser or the system default browser,
or
to prevent the select account dialog from appearing in the case you want to sign-in a specific account,
if you want to let the
user pre-consent to additional scopes (which won't be returned in the access token),
to pass
additional query parameters to the STS, and one of the overrides of
in order to override the default authority set at the application construction. Note that the overriding authority needs to be part
of the known authorities added to the application construction.
Acquires a security token on a device without a Web browser, by letting the user authenticate on
another device. This is done in two steps:
- The method first acquires a device code from the authority and returns it to the caller via
the . This callback takes care of interacting with the user
to direct them to authenticate (to a specific URL, with a code)
- The method then proceeds to poll for the security
token which is granted upon successful login by the user based on the device code information
See https://aka.ms/msal-device-code-flow.
Scopes requested to access a protected API
Callback containing information to show the user about how to authenticate and enter the device code.
A builder enabling you to add optional parameters before executing the token request
You can also pass optional parameters by calling:
to pass
additional query parameters to the STS, and one of the overrides of
in order to override the default authority set at the application construction. Note that the overriding authority needs to be part
of the known authorities added to the application construction.
Non-interactive request to acquire a security token for the signed-in user in Windows,
via Integrated Windows Authentication. See https://aka.ms/msal-net-iwa.
The account used in this overrides is pulled from the operating system as the current user principal name.
Scopes requested to access a protected API
A builder enabling you to add optional parameters before executing the token request
You can also pass optional parameters by calling:
to pass the identifier
of the user account for which to acquire a token with Integrated Windows authentication. This is generally in
UserPrincipalName (UPN) format, e.g. john.doe@contoso.com. This is normally not needed, but some Windows administrators
set policies preventing applications from looking-up the signed-in user in Windows, and in that case the username
needs to be passed.
You can also chain with
to pass
additional query parameters to the STS, and one of the overrides of
in order to override the default authority set at the application construction. Note that the overriding authority needs to be part
of the known authorities added to the application construction.
Non-interactive request to acquire a security token from the authority, via Username/Password Authentication.
Available only on .net desktop and .net core. See https://aka.ms/msal-net-up for details.
Scopes requested to access a protected API
Identifier of the user application requests token on behalf.
Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
User password as a secure string.
A builder enabling you to add optional parameters before executing the token request
You can also pass optional parameters by chaining the builder with:
to pass
additional query parameters to the STS, and one of the overrides of
in order to override the default authority set at the application construction. Note that the overriding authority needs to be part
of the known authorities added to the application construction.
Flag to enable authentication with the user currently logeed-in in Windows.
When set to true, the application will try to connect to the corporate network using windows integrated authentication.
Interactive request to acquire token for the specified scopes. The user is required to select an account
Scopes requested to access a protected API
Authentication result containing a token for the requested scopes and account
The user will be signed-in interactively if needed,
and will consent to scopes and do multi-factor authentication if such a policy was enabled in the Azure AD tenant.
Interactive request to acquire token for the specified scopes. The user will need to sign-in but an account will be proposed
based on the
Scopes requested to access a protected API
Identifier of the user. Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for the specified scopes. The user will need to sign-in but an account will be proposed
based on the provided
Scopes requested to access a protected API
Account to use for the interactive token acquisition. See for ways to get an account
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for a login with control of the UI behavior and possiblity of passing extra query parameters like additional claims
Scopes requested to access a protected API
Identifier of the user. Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
Designed interactive experience for the user.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for an account with control of the UI behavior and possiblity of passing extra query parameters like additional claims
Scopes requested to access a protected API
Account to use for the interactive token acquisition. See for ways to get an account
Designed interactive experience for the user.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for a given login, with the possibility of controlling the user experience, passing extra query
parameters, providing extra scopes that the user can pre-consent to, and overriding the authority pre-configured in the application
scopes requested to access a protected API
Identifier of the user. Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
Designed interactive experience for the user.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
scopes that you can request the end user to consent upfront, in addition to the scopes for the protected Web API
for which you want to acquire a security token.
Specific authority for which the token is requested. Passing a different value than configured does not change the configured value
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for a given account, with the possibility of controlling the user experience, passing extra query
parameters, providing extra scopes that the user can pre-consent to, and overriding the authority pre-configured in the application
Scopes requested to access a protected API
Account to use for the interactive token acquisition. See for ways to get an account
Designed interactive experience for the user.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
Scopes that you can request the end user to consent upfront, in addition to the scopes for the protected Web API
for which you want to acquire a security token.
Specific authority for which the token is requested. Passing a different value than configured does not change the configured value
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for the specified scopes. The interactive window will be parented to the specified
window. The user will be required to select an account
Scopes requested to access a protected API
Object containing a reference to the parent window/activity. REQUIRED for Xamarin.Android only.
Authentication result containing a token for the requested scopes and account
The user will be signed-in interactively if needed,
and will consent to scopes and do multi-factor authentication if such a policy was enabled in the Azure AD tenant.
Interactive request to acquire token for the specified scopes. The interactive window will be parented to the specified
window. . The user will need to sign-in but an account will be proposed
based on the
Scopes requested to access a protected API
Identifier of the user. Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
Object containing a reference to the parent window/activity. REQUIRED for Xamarin.Android only.
Authentication result containing a token for the requested scopes and login
Interactive request to acquire token for the specified scopes. The user will need to sign-in but an account will be proposed
based on the provided
Scopes requested to access a protected API
Account to use for the interactive token acquisition. See for ways to get an account
Object containing a reference to the parent window/activity. REQUIRED for Xamarin.Android only.
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for a login with control of the UI behavior and possiblity of passing extra query parameters like additional claims
Scopes requested to access a protected API
Identifier of the user. Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
Designed interactive experience for the user.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
Object containing a reference to the parent window/activity. REQUIRED for Xamarin.Android only.
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for an account with control of the UI behavior and possiblity of passing extra query parameters like additional claims
Scopes requested to access a protected API
Account to use for the interactive token acquisition. See for ways to get an account
Designed interactive experience for the user.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
Object containing a reference to the parent window/activity. REQUIRED for Xamarin.Android only.
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for a given login, with the possibility of controlling the user experience, passing extra query
parameters, providing extra scopes that the user can pre-consent to, and overriding the authority pre-configured in the application
Scopes requested to access a protected API
Identifier of the user. Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
Designed interactive experience for the user.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
Scopes that you can request the end user to consent upfront, in addition to the scopes for the protected Web API
for which you want to acquire a security token.
Specific authority for which the token is requested. Passing a different value than configured does not change the configured value
Object containing a reference to the parent window/activity. REQUIRED for Xamarin.Android only.
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for a given account, with the possibility of controlling the user experience, passing extra query
parameters, providing extra scopes that the user can pre-consent to, and overriding the authority pre-configured in the application
Scopes requested to access a protected API
Account to use for the interactive token acquisition. See for ways to get an account
Designed interactive experience for the user.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
Scopes that you can request the end user to consent upfront, in addition to the scopes for the protected Web API
for which you want to acquire a security token.
Specific authority for which the token is requested. Passing a different value than configured does not change the configured value
Object containing a reference to the parent window/activity. REQUIRED for Xamarin.Android only.
Authentication result containing a token for the requested scopes and account
Non-interactive request to acquire a security token from the authority, via Username/Password Authentication.
See https://aka.ms/msal-net-up.
Scopes requested to access a protected API
Identifier of the user application requests token on behalf.
Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
User password.
Authentication result containing a token for the requested scopes and account
Acquires a security token on a device without a Web browser, by letting the user authenticate on
another device. This is done in two steps:
- the method first acquires a device code from the authority and returns it to the caller via
the . This callback takes care of interacting with the user
to direct them to authenticate (to a specific URL, with a code)
- The method then proceeds to poll for the security
token which is granted upon successful login by the user based on the device code information
See https://aka.ms/msal-device-code-flow.
Scopes requested to access a protected API
Callback containing information to show the user about how to authenticate and enter the device code.
Authentication result containing a token for the requested scopes and for the user who has authenticated on another device with the code
Acquires a security token on a device without a Web browser, by letting the user authenticate on
another device, with possiblity of passing extra parameters. This is done in two steps:
- the method first acquires a device code from the authority and returns it to the caller via
the . This callback takes care of interacting with the user
to direct them to authenticate (to a specific URL, with a code)
- The method then proceeds to poll for the security
token which is granted upon successful login by the user based on the device code information
See https://aka.ms/msal-device-code-flow.
Scopes requested to access a protected API
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
Callback containing information to show the user about how to authenticate and enter the device code.
Authentication result containing a token for the requested scopes and for the user who has authenticated on another device with the code
Acquires a security token on a device without a Web browser, by letting the user authenticate on
another device, with possiblity of cancelling the token acquisition before it times out. This is done in two steps:
- the method first acquires a device code from the authority and returns it to the caller via
the . This callback takes care of interacting with the user
to direct them to authenticate (to a specific URL, with a code)
- The method then proceeds to poll for the security
token which is granted upon successful login by the user based on the device code information. This step is cancelable
See https://aka.ms/msal-device-code-flow.
Scopes requested to access a protected API
The callback containing information to show the user about how to authenticate and enter the device code.
A CancellationToken which can be triggered to cancel the operation in progress.
Authentication result containing a token for the requested scopes and for the user who has authenticated on another device with the code
Acquires a security token on a device without a Web browser, by letting the user authenticate on
another device, with possiblity of passing extra query parameters and cancelling the token acquisition before it times out. This is done in two steps:
- the method first acquires a device code from the authority and returns it to the caller via
the . This callback takes care of interacting with the user
to direct them to authenticate (to a specific URL, with a code)
- The method then proceeds to poll for the security
token which is granted upon successful login by the user based on the device code information. This step is cancelable
See https://aka.ms/msal-device-code-flow.
Scopes requested to access a protected API
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
The callback containing information to show the user about how to authenticate and enter the device code.
A CancellationToken which can be triggered to cancel the operation in progress.
Authentication result containing a token for the requested scopes and for the user who has authenticated on another device with the code
Non-interactive request to acquire a security token for the signed-in user in Windows, via Integrated Windows Authentication.
See https://aka.ms/msal-net-iwa.
The account used in this overrides is pulled from the operating system as the current user principal name
On Windows Universal Platform, the following capabilities need to be provided:
Enterprise Authentication, Private Networks (Client and Server), User Account Information
Scopes requested to access a protected API
Authentication result containing a token for the requested scopes and for the currently logged-in user in Windows
Non-interactive request to acquire a security token for the signed-in user in Windows, via Integrated Windows Authentication.
See https://aka.ms/msal-net-iwa.
The account used in this overrides is pulled from the operating system as the current user principal name
Scopes requested to access a protected API
Identifier of the user account for which to acquire a token with Integrated Windows authentication.
Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
Authentication result containing a token for the requested scopes and for the currently logged-in user in Windows
Notification for certain token cache interactions during token acquisition. This delegate is
used in particular to provide a custom token cache serialization.
See https://aka.ms/aka.ms/msal-net-token-cache-serialization
Arguments related to the cache item impacted
This is the interface that implements the public access to cache operations.
With CacheV2, this should only be necessary if the caller is persisting
the cache in their own store, since this will provide the serialize/deserialize
and before/after notifications used in that scenario.
See https://aka.ms/aka.ms/msal-net-token-cache-serialization
Sets a delegate to be notified before any library method accesses the cache. This gives an option to the
delegate to deserialize a cache entry for the application and accounts specified in the .
See https://aka.ms/msal-net-token-cache-serialization
Delegate set in order to handle the cache deserialization
In the case where the delegate is used to deserialize the cache, it might
want to call
Sets a delegate to be notified after any library method accesses the cache. This gives an option to the
delegate to serialize a cache entry for the application and accounts specified in the .
See https://aka.ms/msal-net-token-cache-serialization
Delegate set in order to handle the cache serialization in the case where the
member of the cache is true
In the case where the delegate is used to serialize the cache entirely (not just a row), it might
want to call
Sets a delegate called before any library method writes to the cache. This gives an option to the delegate
to reload the cache state from a row in database and lock that row. That database row can then be unlocked in the delegate
registered with
Delegate set in order to prepare the cache serialization
Serializes the token cache to the MSAL.NET 3.x cache format, which is compatible with other MSAL desktop libraries, e.g. MSAL for Python and MSAL for Java.
If you need to maintain SSO between an application using ADAL 3.x or MSAL 2.x and this application using MSAL 3.x,
you might also want to serialize and deserialize with / or /,
otherwise just use /.
Byte stream representation of the cache
This is the recommended format for maintaining SSO state between applications.
/ is compatible with other MSAL libraries such as MSAL for Python and MSAL for Java.
Deserializes the token cache to the MSAL.NET 3.x cache format, which is compatible with other MSAL desktop libraries, e.g. MSAL for Python and MSAL for Java.
If you need to maintain SSO between an application using ADAL 3.x or MSAL 2.x and this application using MSAL 3.x,
you might also want to serialize and deserialize with / or /,
otherwise just use /.
Byte stream representation of the cache
Set to true to clear MSAL cache contents. Defaults to false.
You would want to set this to true if you want the cache contents in memory to be exactly what's on disk.
You would want to set this to false if you want to merge the contents of what's on disk with your current in memory state.
This is the recommended format for maintaining SSO state between applications.
/ is compatible with other MSAL libraries such as MSAL for Python and MSAL for Java.
Serializes the token cache to the MSAL.NET 2.x unified cache format, which is compatible with ADAL.NET v4 and other MSAL.NET v2 applications.
If you need to maintain SSO between an application using ADAL 3.x or MSAL 2.x and this application using MSAL 3.x,
you might also want to serialize and deserialize with / or /,
otherwise just use /.
Byte stream representation of the cache
/ is compatible with other MSAL libraries such as MSAL for Python and MSAL for Java.
Deserializes the token cache to the MSAL.NET 2.x cache format, which is compatible with ADAL.NET v4 and other MSAL.NET v2 applications.
If you need to maintain SSO between an application using ADAL 3.x or MSAL 2.x and this application using MSAL 3.x,
you might also want to serialize and deserialize with / or /,
otherwise just use /.
Byte stream representation of the cache
/ is compatible with other MSAL libraries such as MSAL for Python and MSAL for Java.
Serializes the token cache to the ADAL.NET 3.x cache format.
If you need to maintain SSO between an application using ADAL 3.x or MSAL 2.x and this application using MSAL 3.x,
you might also want to serialize and deserialize with / or /,
otherwise just use /.
Byte stream representation of the cache
/ is compatible with other MSAL libraries such as MSAL for Python and MSAL for Java.
Deserializes the token cache to the ADAL.NET 3.x cache format.
If you need to maintain SSO between an application using ADAL 3.x or MSAL 2.x and this application using MSAL 3.x,
you might also want to serialize and deserialize with / or /,
otherwise just use /.
Byte stream representation of the cache
/ is compatible with other MSAL libraries such as MSAL for Python and MSAL for Java.
Functionality replaced by . See https://aka.ms/msal-net-3x-cache-breaking-change
Functionality replaced by . See https://aka.ms/msal-net-3x-cache-breaking-change
Functionality replaced by and
See https://aka.ms/msal-net-3x-cache-breaking-change
Functionality replaced by and
See https://aka.ms/msal-net-3x-cache-breaking-change
Persists the AT and RT and updates app metadata (FOCI)
Returns a RT for the request. If familyId is specified, it tries to return the FRT.
FOCI - check in the app metadata to see if the app is part of the family
null if unkown, true or false if app metadata has details
Callback delegate that allows application developers to consume logs, and handle them in a custom manner. This
callback is set using .
If PiiLoggingEnabled is set to true, when registering the callback this method will receive the messages twice:
once with the containsPii parameter equals false and the message without PII,
and a second time with the containsPii parameter equals to true and the message might contain PII.
In some cases (when the message does not contain PII), the message will be the same.
For details see https://aka.ms/msal-net-logging
Log level of the log message to process
Pre-formatted log message
Indicates if the log message contains Organizational Identifiable Information (OII)
or Personally Identifiable Information (PII) nor not.
If is set to false then this value is always false.
Otherwise it will be true when the message contains PII.
Level of the log messages.
For details see https://aka.ms/msal-net-logging
Error Log level
Warning Log level
Information Log level
Verbose Log level
Returns true if the actions are the same, either are ready for upload, and either is not aggregable.
This is used to determine whether or not we should aggregate this particular property bag of event data.
GUID included in request header
Floating-point value with a unit of milliseconds indicating the
refresh token age
Indicates whether the request was executed on a ring serving SPE traffic.
An empty string indicates this occurred on an outer ring, and the string "I"
indicates the request occurred on the inner ring
Error code sent by ESTS
Error code which gives more detailed information about server error code
In MSAL.NET 1.x, was representing a User. From MSAL 2.x use which represents an account
(a user has several accounts). See https://aka.ms/msal-net-2-released for more details.
In MSAL.NET 1.x was the displayable ID of a user. From MSAL 2.x use the of an account.
See https://aka.ms/msal-net-2-released for more details
In MSAL.NET 1.x was the name of the user (which was not very useful as the concatenation of
some claims). From MSAL 2.x rather use . See https://aka.ms/msal-net-2-released for more details.
In MSAL.NET 1.x was the URL of the identity provider (e.g. https://login.microsoftonline.com/tenantId).
From MSAL.NET 2.x use which retrieves the host only (e.g. login.microsoftonline.com).
See https://aka.ms/msal-net-2-released for more details.
In MSAL.NET 1.x was an identifier for the user in the guest tenant.
From MSAL.NET 2.x, use to get
the user identifier (globally unique accross tenants). See https://aka.ms/msal-net-2-released for more details.
Contains parameters used by the MSAL call accessing the cache.
See also which contains methods
to customize the cache serialization
In MSAL.NET 1.x, returned the user who signed in to get the authentication result. From MSAL 2.x
rather use instead. See https://aka.ms/msal-net-2-released for more details.
Gets the involved in the transaction
Gets the ClientId (application ID) of the application involved in the cache transaction
Gets the account involved in the cache transaction.
Indicates whether the state of the cache has changed, for example when tokens are being added or removed.
Not all cache operations modify the state of the cache.
Abstract class containing common API methods and properties.
For details see https://aka.ms/msal-net-client-applications
Class to be used to acquire tokens in desktop or mobile applications (Desktop / UWP / Xamarin.iOS / Xamarin.Android).
public client applications are not trusted to safely keep application secrets, and therefore they only access Web APIs in the name of the user only.
For details see https://aka.ms/msal-net-client-applications
- Contrary to , public clients are unable to hold configuration time secrets,
and as a result have no client secret
- The redirect URL is pre-proposed by the library. It does not need to be passed in the constructor
- .NET Core does not support UI, and therefore this platform does not provide the interactive token acquisition methods
Flag to enable authentication with the user currently logged-in in Windows.
When set to true, the application will try to connect to the corporate network using windows integrated authentication.
Constructor of the application. It will use https://login.microsoftonline.com/common as the default authority.
Client ID (also known as App ID) of the application as registered in the
application registration portal (https://aka.ms/msal-net-register-app)/. REQUIRED
Constructor of the application.
Client ID (also named Application ID) of the application as registered in the
application registration portal (https://aka.ms/msal-net-register-app)/. REQUIRED
Authority of the security token service (STS) from which MSAL.NET will acquire the tokens.
Usual authorities are:
- https://login.microsoftonline.com/tenant/, where tenant is the tenant ID of the Azure AD tenant
or a domain associated with this Azure AD tenant, in order to sign-in user of a specific organization only
- https://login.microsoftonline.com/common/ to signing users with any work and school accounts or Microsoft personal account
- https://login.microsoftonline.com/organizations/ to signing users with any work and school accounts
- https://login.microsoftonline.com/consumers/ to signing users with only personal Microsoft account (live)
Note that this setting needs to be consistent with what is declared in the application registration portal
Interactive request to acquire token for the specified scopes. The user is required to select an account
Scopes requested to access a protected API
Authentication result containing a token for the requested scopes and account
The user will be signed-in interactively if needed,
and will consent to scopes and do multi-factor authentication if such a policy was enabled in the Azure AD tenant.
Interactive request to acquire token for the specified scopes. The user will need to sign-in but an account will be proposed
based on the
Scopes requested to access a protected API
Identifier of the user. Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for the specified scopes. The user will need to sign-in but an account will be proposed
based on the provided
Scopes requested to access a protected API
Account to use for the interactive token acquisition. See for ways to get an account
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for a login with control of the UI prompt and possibility of passing extra query parameters like additional claims
Scopes requested to access a protected API
Identifier of the user. Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
Designed interactive experience for the user.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for an account with control of the UI prompt and possibility of passing extra query parameters like additional claims
Scopes requested to access a protected API
Account to use for the interactive token acquisition. See for ways to get an account
Designed interactive experience for the user.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for a given login, with the possibility of controlling the user experience, passing extra query
parameters, providing extra scopes that the user can pre-consent to, and overriding the authority pre-configured in the application
Scopes requested to access a protected API
Identifier of the user. Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
Designed interactive experience for the user.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
Scopes that you can request the end user to consent upfront, in addition to the scopes for the protected Web API
for which you want to acquire a security token.
Specific authority for which the token is requested. Passing a different value than configured does not change the configured value
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for a given account, with the possibility of controlling the user experience, passing extra query
parameters, providing extra scopes that the user can pre-consent to, and overriding the authority pre-configured in the application
Scopes requested to access a protected API
Account to use for the interactive token acquisition. See for ways to get an account
Designed interactive experience for the user.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
Scopes that you can request the end user to consent upfront, in addition to the scopes for the protected Web API
for which you want to acquire a security token.
Specific authority for which the token is requested. Passing a different value than configured does not change the configured value
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for the specified scopes. The interactive window will be parented to the specified
window. The user will be required to select an account
Scopes requested to access a protected API
Object containing a reference to the parent window/activity. REQUIRED for Xamarin.Android only.
Authentication result containing a token for the requested scopes and account
The user will be signed-in interactively if needed,
and will consent to scopes and do multi-factor authentication if such a policy was enabled in the Azure AD tenant.
Interactive request to acquire token for the specified scopes. The interactive window will be parented to the specified
window. The user will need to sign-in but an account will be proposed
based on the
Scopes requested to access a protected API
Identifier of the user. Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
Object containing a reference to the parent window/activity. REQUIRED for Xamarin.Android only.
Authentication result containing a token for the requested scopes and login
Interactive request to acquire token for the specified scopes. The user will need to sign-in but an account will be proposed
based on the provided
Scopes requested to access a protected API
Account to use for the interactive token acquisition. See for ways to get an account
Object containing a reference to the parent window/activity. REQUIRED for Xamarin.Android only.
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for a login with control of the UI prompt and possiblity of passing extra query parameters like additional claims
Scopes requested to access a protected API
Identifier of the user. Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
Designed interactive experience for the user.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
Object containing a reference to the parent window/activity. REQUIRED for Xamarin.Android only.
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for an account with control of the UI prompt and possiblity of passing extra query parameters like additional claims
Scopes requested to access a protected API
Account to use for the interactive token acquisition. See for ways to get an account
Designed interactive experience for the user.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
Object containing a reference to the parent window/activity. REQUIRED for Xamarin.Android only.
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for a given login, with the possibility of controlling the user experience, passing extra query
parameters, providing extra scopes that the user can pre-consent to, and overriding the authority pre-configured in the application
Scopes requested to access a protected API
Identifier of the user. Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
Designed interactive experience for the user.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
scopes that you can request the end user to consent upfront, in addition to the scopes for the protected Web API
for which you want to acquire a security token.
Specific authority for which the token is requested. Passing a different value than configured does not change the configured value
Object containing a reference to the parent window/activity. REQUIRED for Xamarin.Android only.
Authentication result containing a token for the requested scopes and account
Interactive request to acquire token for a given account, with the possibility of controlling the user experience, passing extra query
parameters, providing extra scopes that the user can pre-consent to, and overriding the authority pre-configured in the application
Scopes requested to access a protected API
Account to use for the interactive token acquisition. See for ways to get an account
Designed interactive experience for the user.
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
scopes that you can request the end user to consent upfront, in addition to the scopes for the protected Web API
for which you want to acquire a security token.
Specific authority for which the token is requested. Passing a different value than configured does not change the configured value
Object containing a reference to the parent window/activity. REQUIRED for Xamarin.Android only.
Authentication result containing a token for the requested scopes and account
Non-interactive request to acquire a security token from the authority, via Username/Password Authentication.
Available only on .net desktop and .net core. See https://aka.ms/msal-net-up for details.
Scopes requested to access a protected API
Identifier of the user application requests token on behalf.
Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
User password.
Authentication result containing a token for the requested scopes and account
Acquires a security token on a device without a Web browser, by letting the user authenticate on
another device. This is done in two steps:
- the method first acquires a device code from the authority and returns it to the caller via
the . This callback takes care of interacting with the user
to direct them to authenticate (to a specific URL, with a code)
- The method then proceeds to poll for the security
token which is granted upon successful login by the user based on the device code information
See https://aka.ms/msal-device-code-flow.
Scopes requested to access a protected API
Callback containing information to show the user about how to authenticate and enter the device code.
Authentication result containing a token for the requested scopes and for the user who has authenticated on another device with the code
Acquires a security token on a device without a Web browser, by letting the user authenticate on
another device, with possiblity of passing extra parameters. This is done in two steps:
- the method first acquires a device code from the authority and returns it to the caller via
the . This callback takes care of interacting with the user
to direct them to authenticate (to a specific URL, with a code)
- The method then proceeds to poll for the security
token which is granted upon successful login by the user based on the device code information
See https://aka.ms/msal-device-code-flow.
Scopes requested to access a protected API
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
Callback containing information to show the user about how to authenticate and enter the device code.
Authentication result containing a token for the requested scopes and for the user who has authenticated on another device with the code
Acquires a security token on a device without a Web browser, by letting the user authenticate on
another device, with possiblity of cancelling the token acquisition before it times out. This is done in two steps:
- the method first acquires a device code from the authority and returns it to the caller via
the . This callback takes care of interacting with the user
to direct them to authenticate (to a specific URL, with a code)
- The method then proceeds to poll for the security
token which is granted upon successful login by the user based on the device code information. This step is cancelable
See https://aka.ms/msal-device-code-flow.
Scopes requested to access a protected API
The callback containing information to show the user about how to authenticate and enter the device code.
A CancellationToken which can be triggered to cancel the operation in progress.
Authentication result containing a token for the requested scopes and for the user who has authenticated on another device with the code
Acquires a security token on a device without a Web browser, by letting the user authenticate on
another device, with possiblity of passing extra query parameters and cancelling the token acquisition before it times out. This is done in two steps:
- the method first acquires a device code from the authority and returns it to the caller via
the . This callback takes care of interacting with the user
to direct them to authenticate (to a specific URL, with a code)
- The method then proceeds to poll for the security
token which is granted upon successful login by the user based on the device code information. This step is cancelable
See https://aka.ms/msal-device-code-flow.
Scopes requested to access a protected API
This parameter will be appended as is to the query string in the HTTP authentication request to the authority.
This is expected to be a string of segments of the form key=value separated by an ampersand character.
The parameter can be null.
The callback containing information to show the user about how to authenticate and enter the device code.
A CancellationToken which can be triggered to cancel the operation in progress.
Authentication result containing a token for the requested scopes and for the user who has authenticated on another device with the code
Acquires an access token from an existing refresh token and stores it and the refresh token into
the application user token cache, where it will be available for further AcquireTokenSilentAsync calls.
This method can be used in migration to MSAL from ADAL v2 and in various integration
scenarios where you have a RefreshToken available.
(see https://aka.ms/msal-net-migration-adal2-msal2)
Scope to request from the token endpoint.
Setting this to null or empty will request an access token, refresh token and ID token with default scopes
The refresh token (for example previously obtained from ADAL 2.x)
Non-interactive request to acquire a security token for the signed-in user in Windows, via Integrated Windows Authentication.
See https://aka.ms/msal-net-iwa.
The account used in this overrides is pulled from the operating system as the current user principal name
On Windows Universal Platform, the following capabilities need to be provided:
Enterprise Authentication, Private Networks (Client and Server), User Account Information
Supported on .net desktop and UWP
Scopes requested to access a protected API
Authentication result containing a token for the requested scopes and for the currently logged-in user in Windows
Non-interactive request to acquire a security token for the signed-in user in Windows, via Integrated Windows Authentication.
See https://aka.ms/msal-net-iwa.
The account used in this overrides is pulled from the operating system as the current user principal name
Scopes requested to access a protected API
Identifier of the user account for which to acquire a token with Integrated Windows authentication.
Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
Authentication result containing a token for the requested scopes and for the currently logged-in user in Windows
Constructor to create application instance. This constructor is only available for Desktop and NetCore apps
Client id of the application
Default authority to be used for the application
Instance of TokenCache.
Interactive request to acquire a token for the specified scopes. The interactive window will be parented to the specified
window. The user will be required to select an account
Scopes requested to access a protected API
A builder enabling you to add optional parameters before executing the token request
The user will be signed-in interactively if needed,
and will consent to scopes and do multi-factor authentication if such a policy was enabled in the Azure AD tenant.
You can also pass optional parameters by calling:
to specify the user experience
when signing-in, to specify
if you want to use the embedded web browser or the system default browser,
or
to prevent the select account dialog from appearing in the case you want to sign-in a specific account,
WithParentActivityOrWindow to optimize how the browser is shown, e.g.
for centering the browser window on the app window. Required on Xamarin.Android
if you want to let the
user pre-consent to additional scopes (which won't be returned in the access token),
to pass
additional query parameters to the STS, and one of the overrides of
in order to override the default authority set at the application construction. Note that the overriding authority needs to be part
of the known authorities added to the application construction
Acquires a security token on a device without a Web browser, by letting the user authenticate on
another device. This is done in two steps:
- The method first acquires a device code from the authority and returns it to the caller via
the . This callback takes care of interacting with the user
to direct them to authenticate (to a specific URL, with a code)
- The method then proceeds to poll for the security
token which is granted upon successful login by the user based on the device code information
See https://aka.ms/msal-device-code-flow.
Scopes requested to access a protected API
Callback containing information to show the user about how to authenticate and enter the device code.
A builder enabling you to add optional parameters before executing the token request
You can also pass optional parameters by calling:
to pass
additional query parameters to the STS, and one of the overrides of
in order to override the default authority set at the application construction. Note that the overriding authority needs to be part
of the known authorities added to the application construction.
Non-interactive request to acquire a security token for the signed-in user in Windows,
via Integrated Windows Authentication. See https://aka.ms/msal-net-iwa.
The account used in this overrides is pulled from the operating system as the current user principal name.
Scopes requested to access a protected API
A builder enabling you to add optional parameters before executing the token request
You can also pass optional parameters by calling:
to pass the identifier
of the user account for which to acquire a token with Integrated Windows authentication. This is generally in
UserPrincipalName (UPN) format, e.g. john.doe@contoso.com. This is normally not needed, but some Windows administrators
set policies preventing applications from looking-up the signed-in user in Windows, and in that case the username
needs to be passed.
You can also chain with
to pass
additional query parameters to the STS, and one of the overrides of
in order to override the default authority set at the application construction. Note that the overriding authority needs to be part
of the known authorities added to the application construction.
Non-interactive request to acquire a security token from the authority, via Username/Password Authentication.
See https://aka.ms/msal-net-up for details.
Scopes requested to access a protected API
Identifier of the user application requests token on behalf.
Generally in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
User password as a secure string.
A builder enabling you to add optional parameters before executing the token request
You can also pass optional parameters by chaining the builder with:
to pass
additional query parameters to the STS, and one of the overrides of
in order to override the default authority set at the application construction. Note that the overriding authority needs to be part
of the known authorities added to the application construction.
Component to be used with confidential client applications like Web Apps/API.
This component supports Subject Name + Issuer authentication in order to help, in the future,
Azure AD certificates rollover
[V2 API] Acquires token from the service for the confidential client using the client credentials flow. (See https://aka.ms/msal-net-client-credentials)
This method enables application developers to achieve easy certificates roll-over
in Azure AD: this method will send the public certificate to Azure AD
along with the token request, so that Azure AD can use it to validate the subject name based on a trusted issuer policy.
This saves the application admin from the need to explicitly manage the certificate rollover
(either via portal or powershell/CLI operation)
Array of scopes requested for resource
Authentication result containing application token for the requested scopes
[V2 API] Acquires token from the service for the confidential client using the client credentials flow. (See https://aka.ms/msal-net-client-credentials)
This method attempts to look up valid access token in the cache unless is true
This method enables application developers to achieve easy certificates roll-over
in Azure AD: this method will send the public certificate to Azure AD
along with the token request, so that Azure AD can use it to validate the subject name based on a trusted issuer policy.
This saves the application admin from the need to explicitly manage the certificate rollover
(either via portal or powershell/CLI operation)
Array of scopes requested for resource
If TRUE, API will ignore the access token in the cache and attempt to acquire new access token using client credentials
Authentication result containing application token for the requested scopes
[V2 API] Acquires token using On-Behalf-Of flow. (See https://aka.ms/msal-net-on-behalf-of)
Array of scopes requested for resource
Instance of UserAssertion containing user's token.
Authentication result containing token of the user for the requested scopes
[V2 API] Acquires token using On-Behalf-Of flow. (See https://aka.ms/msal-net-on-behalf-of)
Array of scopes requested for resource
Instance of UserAssertion containing user's token.
Specific authority for which the token is requested. Passing a different value than configured does not change the configured value
Authentication result containing token of the user for the requested scopes
Structure containing static members that you can use to specify how the interactive overrides
of AcquireTokenAsync in should prompt the user.
Certificate for a client assertion. This class is used in one of the constructors of . ClientCredential
is itself used in the constructor of to pass to Azure AD a shared secret (registered in the
Azure AD application)
for the constructor of
with a certificate, and
To understand the difference between public client applications and confidential client applications, see https://aka.ms/msal-net-client-applications
Constructor to create certificate information used in
to instantiate a used in the constructors of
The X509 certificate used as credentials to prove the identity of the application to Azure AD.
Gets minimum X509 certificate key size in bits
Gets the X509 certificate used as credentials to prove the identity of the application to Azure AD.
Meant to be used in confidential client applications, an instance of ClientCredential is passed
to the constructors of ()
as credentials proving that the application (the client) is what it claims it is. These credentials can be
either a client secret (an application password) or a certificate.
This class has one constructor for each case.
These credentials are added in the application registration portal (in the secret section).
Constructor of client (application) credentials from a
contains information about the certificate previously shared with AAD at application
registration to prove the identity of the application (the client) requesting the tokens.
Constructor of client (application) credentials from a client secret, also known as the application password.
Secret string previously shared with AAD at application registration to prove the identity
of the application (the client) requesting the tokens.
Checks Android device for chrome packages.
Returns true if chrome package for launching system webview is enabled on device.
Returns false if chrome package is not found.
The following code decides, in a Xamarin.Forms app, which browser to use based on the presence of the
required packages.
bool useSystemBrowser = UIParent.IsSystemWebviewAvailable();
App.UIParent = new UIParent(Xamarin.Forms.Forms.Context as Activity, !useSystemBrowser);
This exception class represents errors that are local to the library or the device. Contrary to
which represent errors happening from the Azure AD service or
the network. For more details, see https://aka.ms/msal-net-exceptions
Initializes a new instance of the exception class with a specified
error code.
The error code returned by the service or generated by client. This is the code you can rely on
for exception handling.
Initializes a new instance of the exception class with a specified
error code and error message.
The error code returned by the service or generated by client. This is the code you can rely on
for exception handling.
The error message that explains the reason for the exception.
Initializes a new instance of the exception class with a specified
error code, error message and inner exception.
The error code returned by the service or generated by client. This is the code you can rely on
for exception handling.
The error message that explains the reason for the exception.
Error code returned as a property in MsalException
Standard OAuth2 protocol error code. It indicates that the application needs to expose the UI to the user
so that the user does an interactive action in order to get a new token.
Mitigation: If your application is a call AcquireTokenInteractive
perform an interactive authentication. If your application is a chances are that the Claims member
of the exception is not empty. See for the right mitigation
No token was found in the token cache.
Mitigation: If your application is a call AcquireTokenInteractive so
that the user of your application signs-in and accepts consent. If your application is a .:
-
If it's a Web App you should have previously called
as described in https://aka.ms/msal-net-authorization-code. You need to make sure that you have requested the right scopes. For details
See https://github.com/Azure-Samples/ms-identity-aspnetcore-webapp-tutorial
- This error should not happen in Web APIs
This error code comes back from calls when a null user is
passed as the account parameter. This can be because you have called AcquireTokenSilent with an account parameter
set to accounts.FirstOrDefault() but accounts is empty.
Mitigation
Pass a different account, or otherwise call
This error code denotes that no account was found having the given login hint.
What happens?
or
was called with a loginHint parameter which does not match any account in
Mitigation
If you are certain about the loginHint, call
This error code denotes that multiple accounts were found having the same login hint and MSAL
cannot choose one. Please use to specify the account
This error code comes back from calls when
the user cache had not been set in the application constructor. This should never happen in MSAL.NET 3.x as the cache is created by the application
One of two conditions was encountered:
- The Prompt.NoPrompt was passed in an interactive token call, but the constraint could not be honored because user interaction is required,
for instance because the user needs to re-sign-in, give consent for more scopes, or perform multiple factor authentication.
-
An error occurred during a silent web authentication that prevented the authentication flow from completing in a short enough time frame.
Remediation:call AcquireTokenInteractive so that the user of your application signs-in and accepts consent.
Service is unavailable and returned HTTP error code within the range of 500-599
Mitigation you can retry after a delay.
The Http Request to the STS timed out.
Mitigation you can retry after a delay.
loginHint should be a Upn
What happens? An override of a token acquisition operation was called in which
takes a loginHint as a parameters, but this login hint was not using the UserPrincipalName (UPN) format, e.g. john.doe@contoso.com
expected by the service
Remediation Make sure in your code that you enforce loginHint to be a UPN
No passive auth endpoint was found in the OIDC configuration of the authority
What happens? When the libraries go to the authority and get its open id connect configuration
it expects to find a Passive Auth Endpoint entry, and could not find it.
remediation Check that the authority configured for the application, or passed on some overrides of token acquisition tokens
supporting authority override is correct
Invalid authority
What happens When the library attempts to discover the authority and get the endpoints it needs to
acquire a token, it got an un-authorize HTTP code or an unexpected response
remediation Check that the authority configured for the application, or passed on some overrides of token acquisition tokens
supporting authority override is correct
Invalid authority type.
MSAL.NET does not know how to interact with the authority specified when the application was built.
Mitigation
Use a different authority
Unknown Error occured.
Mitigation None. You might want to inform the end user.
Authentication failed.
What happens?
The authentication failed. For instance the user did not enter the right password
Mitigation
Inform the user to retry.
Authority validation failed.
What happens?
The validation of the authority failed. This might be because the authority is not
compliant with the OIDC standard, or there might be a security issue
Mitigation
Use a different authority. If you are absolutely sure that you can trust the authority
you can use the passing
the validateAuthority parameter to false (not recommended)
Invalid owner window type.
What happens?
You used "AcquireTokenInteractiveParameterBuilder.WithParentActivityOrWindow(object)
but the parameter you passed is invalid.
Remediation
On .NET Standard, the expected object is an Activity on Android, a UIViewController on iOS,
a NSWindow on MAC, and a IWin32Window or IntPr on Windows.
If you are in a WPF application, you can use WindowInteropHelper(wpfControl).Handle to get the window
handle associated with a WPF control
Invalid service URL.
Encoded token too long.
What happens
In a confidential client application call, the client assertion built by MSAL is longer than
the max possible length for a JWT token.
No data from STS.
User Mismatch.
Failed to refresh token.
What happens?
The token could not be refreshed. This can be because the user has not used the application for a long time.
and therefore the refresh token maintained in the token cache has expired
Mitigation
If you are in a public client application, that supports interactivity, send an interactive request
. Otherwise,
use a different method to acquire tokens.
Failed to acquire token silently. Used in broker scenarios.
What happens
you called
or and your
mobile (Xamarin) application leverages the broker (Microsoft Authenticator or Microsoft Company Portal), but the broker
was not able to acquire the token silently.
Mitigation
Call
RedirectUri validation failed.
What happens?
The redirect URI / reply URI is invalid
How to fix
Pass a valid redirect URI.
The request could not be preformed because of an unknown failure in the UI flow.*
Mitigation
Inform the user.
Internal error
Accessing WS Metadata Exchange Failed.
What happens?
You tried to use
and the account is a federated account.
Mitigation
None. The WS metadata was not found or does not correspond to what was expected.
Federated service returned error.
Mitigation
None. The federated service returned an error. You can try to look at the
Body of the exception for a better understanding of the error and choose
the mitigation
User Realm Discovery Failed.
Federation Metadata Url is missing for federated user.
Parsing WS Metadata Exchange Failed.
WS-Trust Endpoint Not Found in Metadata Document.
You can get this error when using
In the case of a Federated user (that is owned by a federated IdP, as opposed to a managed user owned in an Azure AD tenant)
ID3242: The security token could not be authenticated or authorized.
The user does not exist or has entered the wrong password
What happens
You can get this error when using
The user is not recognized as a managed user, or a federated user. Azure AD was not
able to identify the IdP that needs to process the user
Mitigation
Inform the user. the login that the user provided might be incorrect.
What happens
You can get this error when using
The user is not known by the IdP
Mitigation
Inform the user. The login that the user provided might be incorrect (for instance empty)
Failed to get user name.
Password is required for managed user.
What happens?
If can got this error when using
and you (or the user) did not provide a password.
Request is invalid.
What happens?
This can happen because you are using a token acquisition method which is not compatible with the authority. For instance:
you called
but you used an authority ending with '/common' or '/consumers' as this requires a tenanted authority or '/organizations'.
Mitigation
Adjust the authority to the AcquireTokenXX method you use (don't use 'common' or 'consumers' with
Cannot access the user from the OS (UWP)
What happens
You called , but the domain user
name could not be found.
Mitigation
This might be because you need to add more capabilities to your UWP application in the Package.appxmanifest.
See https://aka.ms/msal-net-uwp
Cannot get the user from the OS (UWP)
What happens
You called , but the domain user
name could not be found.
Mitigation
This might be because you need to add more capabilities to your UWP application in the Package.appxmanifest.
See https://aka.ms/msal-net-uwp
An error response was returned by the OAuth2 server and it could not be parsed
What happens?
In the context of Device code flow (See https://aka.ms/msal-net-device-code-flow),
this error happens when the device code expired before the user signed-in on another device (this is usually after 15 mins).
Mitigation
None. Inform the user that they took too long to sign-in at the provided URL and enter the provided code.
Integrated Windows Auth is only supported for "federated" users
TODO: UPDATE DOCUMENTATION!
On Android, you need to call AcquireTokenInteractiveParameterBuilder.WithParentActivityOrWindow(object) passing
the activity. See https://aka.ms/msal-interactive-android
Broker response hash did not match
Broker response returned an error
MSAL is not able to invoke the broker. Possible reasons are the broker is not installed on the user's device,
or there were issues with the UiParent or CallerViewController being null. See https://aka.ms/msal-brokers
Error code used when the http response returns HttpStatusCode.NotFound
ErrorCode used when the http response returns something different from 200 (OK)
HttpStatusCode.NotFound have a specific error code.
Error code used when the has returned an uri, but it is invalid - it is either null or has no code.
Consider throwing an exception if you are unable to intercept the uri containing the code.
Error code used when the CustomWebUI has returned an uri, but it does not match the Authroity and AbsolutePath of
the configured redirect uri.
Access denied.
Cannot Access User Information or the user is not a user domain.
What happens?
You tried to use
but the user is not a domain user (the machine is not domain or AAD joined)
RedirectUri validation failed.
No Redirect URI.
What happens?
You need to provide a Reply URI / Redirect URI, but have not called
Multiple Tokens were matched.
What happens?This exception happens in the case of applications managing several identitities,
when calling
or one of its overrides and the user token cache contains multiple tokens for this client application and the the specified Account, but from different authorities.
Mitigation [App Development]specify the authority to use in the acquire token operation
Non HTTPS redirects are not supported
What happens?This error happens when you have registered a non-https redirect URI for the
public client application other than urn:ietf:wg:oauth:2.0:oob
Mitigation [App registration and development]Register in the application a Reply URL starting with "https://"
The request could not be preformed because the network is down.
Mitigation [App development] In the application you could either inform the user that there are network issues
or retry later
The B2C authority host is not the same as the one used when creating the client application.
Duplicate query parameter was found in extraQueryParameters.
What happens? You have used extraQueryParameter of overrides
of token acquisition operations in public client and confidential client application and are passing a parameter which is already present in the
URL (either because you had it in another way, or the library added it).
Mitigation [App Development] RemoveAccount the duplicate parameter from the token acquisition override.
The request could not be performed because of a failure in the UI flow.
What happens?The library failed to invoke the Web View required to perform interactive authentication.
The exception might include the reason
MitigationIf the exception includes the reason, you could inform the user. This might be, for instance, a browser
implementing chrome tabs is missing on the Android phone (that's only an example: this exception can apply to other
platforms as well)
Authentication canceled.
What happens?The user had canceled the authentication, for instance by closing the authentication dialog
MitigationNone, you cannot get a token to call the protected API. You might want to inform the user
JSON parsing failed.
What happens?A Json blob read from the token cache or received from the STS was not parseable.
This can happen when reading the token cache, or receiving an IDToken from the STS.
MitigationMake sure that the token cache was not tampered
JWT was invalid.
What happens?The library expected a JWT (for instance a token from the cache, or received from the STS), but
the format is invalid
MitigationMake sure that the token cache was not tampered
State returned from the STS was different from the one sent by the library
What happens?The library sends to the STS a state associated to a request, and expects the reply to be consistent.
This errors indicates that the reply is not associated with the request. This could indicate an attempt to replay a response
Mitigation None
Tenant discovery failed.
What happens?While reading the openid configuration associated with the authority, the Authorize endpoint,
or Token endpoint, or the Issuer was not found
MitigationThis indicates and authority which is not Open ID Connect compliant. Specify a different authority
in the constructor of the application, or the token acquisition override
///
The library is loaded on a platform which is not supported.
The active directory authentication error message.
Base exception type thrown when an error occurs during token acquisition.
For more details, see https://aka.ms/msal-net-exceptions
Avoid throwing this exception. Instead throw the more specialized
or
Initializes a new instance of the exception class.
Initializes a new instance of the exception class with a specified
error code.
The error code returned by the service or generated by the client. This is the code you can rely on
for exception handling.
Initializes a new instance of the exception class with a specified
error code and error message.
The error code returned by the service or generated by the client. This is the code you can rely on
for exception handling.
The error message that explains the reason for the exception.
Initializes a new instance of the exception class with a specified
error code and a reference to the inner exception that is the cause of
this exception.
The error code returned by the service or generated by the client. This is the code you can rely on
for exception handling.
The error message that explains the reason for the exception.
The exception that is the cause of the current exception, or a null reference if no inner
exception is specified.
Gets the protocol error code returned by the service or generated by the client. This is the code you can rely on for
exception handling. Values for this code are typically provided in constant strings in the derived exceptions types
with explanations of mitigation.
Creates and returns a string representation of the current exception.
A string representation of the current exception.
Allows serialization of most values of the exception into JSON.
Allows re-hydration of the MsalException (or one of its derived types) from JSON generated by ToJsonString().
Exception type thrown when service returns an error response or other networking errors occur.
For more details, see https://aka.ms/msal-net-exceptions
Initializes a new instance of the exception class with a specified
error code, error message and a reference to the inner exception that is the cause of
this exception.
The protocol error code returned by the service or generated by client. This is the code you
can rely on for exception handling.
The error message that explains the reason for the exception.
Initializes a new instance of the exception class with a specified
error code, error message and a reference to the inner exception that is the cause of
this exception.
The protocol error code returned by the service or generated by the client. This is the code you
can rely on for exception handling.
The error message that explains the reason for the exception.
Status code of the resposne received from the service.
Initializes a new instance of the exception class with a specified
error code, error message and a reference to the inner exception that is the cause of
this exception.
The protocol error code returned by the service or generated by the client. This is the code you
can rely on for exception handling.
The error message that explains the reason for the exception.
The exception that is the cause of the current exception, or a null reference if no inner
exception is specified.
Initializes a new instance of the exception class with a specified
error code, error message and a reference to the inner exception that is the cause of
this exception.
The protocol error code returned by the service or generated by the client. This is the code you
can rely on for exception handling.
The error message that explains the reason for the exception.
HTTP status code of the resposne received from the service.
The exception that is the cause of the current exception, or a null reference if no inner
exception is specified.
Initializes a new instance of the exception class with a specified
error code, error message and a reference to the inner exception that is the cause of
this exception.
The protocol error code returned by the service or generated by the client. This is the code you
can rely on for exception handling.
The error message that explains the reason for the exception.
The status code of the request.
The claims challenge returned back from the service.
The exception that is the cause of the current exception, or a null reference if no inner
exception is specified.
Gets the status code returned from http layer. This status code is either the HttpStatusCode in the inner
response or the the NavigateError Event Status Code in a browser based flow (See
http://msdn.microsoft.com/en-us/library/bb268233(v=vs.85).aspx).
You can use this code for purposes such as implementing retry logic or error investigation.
Additional claims requested by the service. When this property is not null or empty, this means that the service requires the user to
provide additional claims, such as doing two factor authentication. The are two cases:
-
If your application is a , you should just call
and add the modifier.
- >If your application is a , (therefore doing the On-Behalf-Of flow), you should throw an Http unauthorize
exception with a message containing the claims
For more details see https://aka.ms/msal-net-claim-challenge
Raw response body received from the server.
The suberror should not be exposed for public consumption yet, as STS needs to do some work
first.
Contains the http headers from the server response that indicated an error.
When the server returns a 429 Too Many Requests error, a Retry-After should be set. It is important to read and respect the
time specified in the Retry-After header to avoid a retry storm.
An ID that can used to piece up a single authentication flow.
Creates and returns a string representation of the current exception.
A string representation of the current exception.
This exception class is to inform developers that UI interaction is required for authentication to
succeed. It's thrown when calling or one
of its overrides, and when the token does not exists in the cache, or the user needs to provide more content, or perform multiple factor authentication based
on Azure AD policies, etc..
For more details, see https://aka.ms/msal-net-exceptions
Initializes a new instance of the exception class with a specified
error code and error message.
The error code returned by the service or generated by the client. This is the code you can rely on
for exception handling.
The error message that explains the reason for the exception.
Initializes a new instance of the exception class with a specified
error code, error message and inner exception indicating the root cause.
The error code returned by the service or generated by the client. This is the code you can rely on
for exception handling.
The error message that explains the reason for the exception.
Represents the root cause of the exception.
Optional field, FOCI support.
Do not expose these in the MsalException because Evo does not guarantee that the error
codes remain the same.
OAuth2 errors that are only used internally. All error codes used when propagating exceptions should
be made public.
Returns the platform / os specific implementation of a PlatformProxy.
Gets the platform proxy, which can be used to perform platform specific operations
Common operations for extracting platform / operating system specifics
Gets the device model. On some TFMs this is not returned for security reasonons.
device model or null
Gets the upn of the user currently logged into the OS
Returns true if the current OS logged in user is AD or AAD joined.
Returns the name of the calling assembly
Returns the version of the calling assembly
Returns a device identifier. Varies by platform.
Get the redirect Uri as string, or the a broker specified value
Gets the default redirect uri for the platform, which sometimes includes the clientId
Provides a high level token cache serialization solution that is similar to the one offered to MSAL customers.
Platforms should try to implement if possible, as it provides more granular
access.
Keeps the 4 token cache dictionaries in memory. Token Cache extensions
are responsible for persistance.
Structure containing static members that you can use to specify how the interactive overrides
of AcquireTokenAsync in should prompt the user.
AcquireToken will send prompt=select_account to Azure AD's authorize endpoint
which would present to the user a list of accounts from which one can be selected for
authentication.
The user will be prompted for credentials by the service. It is achieved
by sending prompt=login to the Azure AD service.
The user will be prompted to consent, even if consent was granted before. It is achieved
by sending prompt=consent to Azure AD.
Does not request any specific UI to the service, which therefore decides based on the
number of signed-in identities.
This Prompt is, for the moment, recommended for Azure AD B2C scenarios where
the developer does not want the user to re-select the account (for instance when applying
policies like EditProfile, or ResetPassword, which should apply to the currently signed-in account.
It's not recommended to use this Prompt in Azure AD scenarios at the moment).
Only available on .NET platform. AcquireToken will send prompt=attempt_none to
Azure AD's authorize endpoint and the library will use a hidden webview (and its cookies) to authenticate the user.
This can fail, and in that case a will be thrown.
Equals method override to compare Prompt structs
object to compare against
true if object are equal.
Override to compute hashcode
hash code of the PromptValue
operator overload to equality check
first value
second value
true if the objects are equal
operator overload to equality check
first value
second value
true if the objects are not equal
Monotonically increasing integer specifying
x-ms-cliteleminfo header version
Bundle id for server error.
Bundle id for server suberror.
Bundle id for refresh token age.
Floating-point value with a unit of milliseconds
Bundle id for spe_ring info. Indicates whether the request was executed
on a ring serving SPE traffic. An empty string indicates this occurred on
an outer ring, and the string "I" indicates the request occurred on the
inner ring
Token cache storing access and refresh tokens for accounts
This class is used in the constructors of and .
In the case of ConfidentialClientApplication, two instances are used, one for the user token cache, and one for the application
token cache (in the case of applications using the client credential flows).
Constructor of a token cache. This constructor is left for compatibility with MSAL 2.x.
The recommended way to get a cache is by using
and IConfidentialClientApplication.AppTokenCache once the app is created.
This method is so we can inject test ILegacyCachePersistence...
Notification for certain token cache interactions during token acquisition. This delegate is
used in particular to provide a custom token cache serialization
Arguments related to the cache item impacted
Notification method called before any library method accesses the cache.
Notification method called before any library method writes to the cache. This notification can be used to reload
the cache state from a row in database and lock that row. That database row can then be unlocked in the
notification.
Notification method called after any library method accesses the cache.
Gets or sets the flag indicating whether the state of the cache has changed.
MSAL methods set this flag after any change.
Caller applications should reset the flag after serializing and persisting the state of the cache.
Get accounts should not make a network call, if possible.
Tries to get the env aliases of the authority for selecting accounts.
This can be done without network discovery if all the accounts belong to known envs.
If the list becomes stale (i.e. new env is introduced), GetAccounts will perform InstanceDiscovery
The list of known envs should not be used in any other scenario!
MSAL account removal depends on wheather we have an FRT or not in the cache. If an FRT exists,
we can no longer filter by clientID
Sets a delegate to be notified before any library method accesses the cache. This gives an option to the
delegate to deserialize a cache entry for the application and accounts specified in the .
See https://aka.ms/msal-net-token-cache-serialization
Delegate set in order to handle the cache deserialiation
In the case where the delegate is used to deserialize the cache, it might
want to call
Sets a delegate to be notified after any library method accesses the cache. This gives an option to the
delegate to serialize a cache entry for the application and accounts specified in the .
See https://aka.ms/msal-net-token-cache-serialization
Delegate set in order to handle the cache serialization in the case where the
member of the cache is true
In the case where the delegate is used to serialize the cache entierely (not just a row), it might
want to call
Sets a delegate called before any library method writes to the cache. This gives an option to the delegate
to reload the cache state from a row in database and lock that row. That database row can then be unlocked in the delegate
registered with
Delegate set in order to prepare the cache serialization
Serializes the entire token cache in both the ADAL V3 and unified cache formats.
Serialized token cache
/ is compatible with other MSAL libraries such as MSAL for Python and MSAL for Java.
Deserializes the token cache from a serialization blob in both format (ADAL V3 format, and unified cache format)
Array of bytes containing serialize cache data
/ is compatible with other MSAL libraries such as MSAL for Python and MSAL for Java.
Serializes using the serializer.
Obsolete: Please use specialized Serialization methods.
replaces .
/ Is our recommended way of serializing/deserializing.
For interoperability with ADAL.NET v3.
array of bytes,
/ is compatible with other MSAL libraries such as MSAL for Python and MSAL for Java.
Deserializes the token cache from a serialization blob in the unified cache format
Obsolete: Please use specialized Deserialization methods.
replaces
/ Is our recommended way of serializing/deserializing.
For interoperability with ADAL.NET v3
Array of bytes containing serialized MSAL.NET V2 cache data
/ is compatible with other MSAL libraries such as MSAL for Python and MSAL for Java.
Is a Json blob containing access tokens, refresh tokens, id tokens and accounts information.
Serializes the token cache to the ADAL.NET 3.x cache format.
If you need to maintain SSO between an application using ADAL 3.x or MSAL 2.x and this application using MSAL 3.x,
you might also want to serialize and deserialize with / or /,
otherwise just use /.
array of bytes containing the serialized ADAL.NET V3 cache data
/ is compatible with other MSAL libraries such as MSAL for Python and MSAL for Java.
Deserializes the token cache to the ADAL.NET 3.x cache format.
If you need to maintain SSO between an application using ADAL 3.x or MSAL 2.x and this application using MSAL 3.x,
you might also want to serialize and deserialize with / or /,
otherwise just use /.
Array of bytes containing serialized Adal.NET V3 cache data
/ is compatible with other MSAL libraries such as MSAL for Python and MSAL for Java.
Serializes the token cache to the MSAL.NET 2.x unified cache format, which is compatible with ADAL.NET v4 and other MSAL.NET v2 applications.
If you need to maintain SSO between an application using ADAL 3.x or MSAL 2.x and this application using MSAL 3.x,
you might also want to serialize and deserialize with / or /,
otherwise just use /.
array of bytes containing the serialized MsalV2 cache
/ is compatible with other MSAL libraries such as MSAL for Python and MSAL for Java.
Deserializes the token cache to the MSAL.NET 2.x unified cache format, which is compatible with ADAL.NET v4 and other MSAL.NET v2 applications.
If you need to maintain SSO between an application using ADAL 3.x or MSAL 2.x and this application using MSAL 3.x,
you might also want to serialize and deserialize with / or /,
otherwise just use /.
Array of bytes containing serialized MsalV2 cache data
Is a Json blob containing access tokens, refresh tokens, id tokens and accounts information.
/ is compatible with other MSAL libraries such as MSAL for Python and MSAL for Java.
Serializes the token cache, in the MSAL.NET V3 cache format.
If you need to maintain SSO between an application using ADAL 3.x or MSAL 2.x and this application using MSAL 3.x,
you might also want to serialize and deserialize with / or /,
otherwise just use /.
Byte stream representation of the cache
/ is compatible with other MSAL libraries such as MSAL for Python and MSAL for Java.
De-serializes from the MSAL.NET V3 cache format.
If you need to maintain SSO between an application using ADAL 3.x or MSAL 2.x and this application using MSAL 3.x,
you might also want to serialize and deserialize with / or /,
otherwise just use /.
Byte stream representation of the cache
Set to true to clear MSAL cache contents. Defaults to false.
This format is compatible with other MSAL libraries such as MSAL for Python and MSAL for Java.
/ is compatible with other MSAL libraries such as MSAL for Python and MSAL for Java.
A string that is added to each Authroization Request and is expected to be sent back along with the
authorization code. MSAL is responsible for validating that the state sent is identical to the state received.
This is in addition to PKCE, which is validated by the server to ensure that the system redeeming the auth code
is the same as the system who asked for it. It protects against XSRF https://openid.net/specs/openid-connect-core-1_0.html
Extra validations on the redirect uri, for example system web views cannot work with the urn:oob... uri because
there is no way of knowing which app to get back to.
Throws if uri is invalid
Type containing an assertion representing a user's credentials. This type is used in the
On-Behalf-Of flow in confidential client applications, enabling a Web API to request a token
for another downsteam API in the name of the user whose credentials are held by this UserAssertion
See https://aka.ms/msal-net-on-behalf-of
Constructor from a JWT assertion. For other assertion types (SAML), use the other constructor
JWT bearer token used to access the Web application itself
Constructor of a UserAssertion specifying the assertionType in addition to the assertion
Assertion representing the user.
Type of the assertion representing the user. Accepted types are currently:
- urn:ietf:params:oauth:grant-type:jwt-bearerJWT bearer token. Passing this is equivalent to using
the other (simpler) constructor
- urn:ietf:params:oauth:grant-type:saml1_1-bearerSAML 1.1 bearer token
- urn:ietf:params:oauth:grant-type:jwt-bearerSAML 2 bearer token
Gets the assertion.
Gets the assertion type.
Create an array of bytes representing the UTF-8 encoding of the given string.
String to get UTF-8 bytes for
Array of UTF-8 character bytes
Gets the currently logged in user. Works for Windows when user is AD or AAD joined. Throws otherwise if cannot be found.
Platform / OS specific logic. No library (ADAL / MSAL) specific code should go in here.
Get the user logged in to Windows or throws
Win10 allows several identities to be logged in at once;
select the first principal name that can be used
The username or throws
Considered PII, ensure that it is hashed.
Name of the calling application
Considered PII, ensure that it is hashed.
Version of the calling application
Considered PII. Please ensure that it is hashed.
Device identifier
All continuations must be on the same thread, i.e. ConfigureAwait(true)
because the TokenCache calls are under lock() so continuing on different threads will cause
deadlocks.
Represents a BSON Oid (object id).
Gets or sets the value of the Oid.
The value of the Oid.
Initializes a new instance of the class.
The Oid value.
Represents a reader that provides fast, non-cached, forward-only access to serialized BSON data.
Gets or sets a value indicating whether binary data reading should be compatible with incorrect Json.NET 3.5 written binary.
true if binary data reading will be compatible with incorrect Json.NET 3.5 written binary; otherwise, false.
Gets or sets a value indicating whether the root object will be read as a JSON array.
true if the root object will be read as a JSON array; otherwise, false.
Gets or sets the used when reading values from BSON.
The used when reading values from BSON.
Initializes a new instance of the class.
The containing the BSON data to read.
Initializes a new instance of the class.
The containing the BSON data to read.
Initializes a new instance of the class.
The containing the BSON data to read.
if set to true the root object will be read as a JSON array.
The used when reading values from BSON.
Initializes a new instance of the class.
The containing the BSON data to read.
if set to true the root object will be read as a JSON array.
The used when reading values from BSON.
Reads the next JSON token from the underlying .
true if the next token was read successfully; false if there are no more tokens to read.
Changes the reader's state to .
If is set to true, the underlying is also closed.
Represents a writer that provides a fast, non-cached, forward-only way of generating BSON data.
Gets or sets the used when writing values to BSON.
When set to no conversion will occur.
The used when writing values to BSON.
Initializes a new instance of the class.
The to write to.
Initializes a new instance of the class.
The to write to.
Flushes whatever is in the buffer to the underlying and also flushes the underlying stream.
Writes the end.
The token.
Writes a comment /*...*/ containing the specified text.
Text to place inside the comment.
Writes the start of a constructor with the given name.
The name of the constructor.
Writes raw JSON.
The raw JSON to write.
Writes raw JSON where a value is expected and updates the writer's state.
The raw JSON to write.
Writes the beginning of a JSON array.
Writes the beginning of a JSON object.
Writes the property name of a name/value pair on a JSON object.
The name of the property.
Closes this writer.
If is set to true, the underlying is also closed.
If is set to true, the JSON is auto-completed.
Writes a value.
An error will raised if the value cannot be written as a single JSON token.
The value to write.
Writes a null value.
Writes an undefined value.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a [] value.
The [] value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a [] value that represents a BSON object id.
The Object ID value to write.
Writes a BSON regex.
The regex pattern.
The regex options.
Specifies how constructors are used when initializing objects during deserialization by the .
First attempt to use the public default constructor, then fall back to a single parameterized constructor, then to the non-public default constructor.
Json.NET will use a non-public default constructor before falling back to a parameterized constructor.
Converts a binary value to and from a base 64 string value.
Writes the JSON representation of the object.
The to write to.
The value.
The calling serializer.
Reads the JSON representation of the object.
The to read from.
Type of the object.
The existing value of object being read.
The calling serializer.
The object value.
Determines whether this instance can convert the specified object type.
Type of the object.
true if this instance can convert the specified object type; otherwise, false.
Converts a to and from JSON and BSON.
Writes the JSON representation of the object.
The to write to.
The value.
The calling serializer.
Reads the JSON representation of the object.
The to read from.
Type of the object.
The existing value of object being read.
The calling serializer.
The object value.
Determines whether this instance can convert the specified object type.
Type of the object.
true if this instance can convert the specified object type; otherwise, false.
Creates a custom object.
The object type to convert.
Writes the JSON representation of the object.
The to write to.
The value.
The calling serializer.
Reads the JSON representation of the object.
The to read from.
Type of the object.
The existing value of object being read.
The calling serializer.
The object value.
Creates an object which will then be populated by the serializer.
Type of the object.
The created object.
Determines whether this instance can convert the specified object type.
Type of the object.
true if this instance can convert the specified object type; otherwise, false.
Gets a value indicating whether this can write JSON.
true if this can write JSON; otherwise, false.
Provides a base class for converting a to and from JSON.
Determines whether this instance can convert the specified object type.
Type of the object.
true if this instance can convert the specified object type; otherwise, false.
Converts a F# discriminated union type to and from JSON.
Writes the JSON representation of the object.
The to write to.
The value.
The calling serializer.
Reads the JSON representation of the object.
The to read from.
Type of the object.
The existing value of object being read.
The calling serializer.
The object value.
Determines whether this instance can convert the specified object type.
Type of the object.
true if this instance can convert the specified object type; otherwise, false.
Converts a to and from the ISO 8601 date format (e.g. "2008-04-12T12:53Z").
Gets or sets the date time styles used when converting a date to and from JSON.
The date time styles used when converting a date to and from JSON.
Gets or sets the date time format used when converting a date to and from JSON.
The date time format used when converting a date to and from JSON.
Gets or sets the culture used when converting a date to and from JSON.
The culture used when converting a date to and from JSON.
Writes the JSON representation of the object.
The to write to.
The value.
The calling serializer.
Reads the JSON representation of the object.
The to read from.
Type of the object.
The existing value of object being read.
The calling serializer.
The object value.
Converts a to and from a JavaScript Date constructor (e.g. new Date(52231943)).
Writes the JSON representation of the object.
The to write to.
The value.
The calling serializer.
Reads the JSON representation of the object.
The to read from.
Type of the object.
The existing property value of the JSON that is being converted.
The calling serializer.
The object value.
Converts a to and from JSON.
Writes the JSON representation of the object.
The to write to.
The value.
The calling serializer.
Reads the JSON representation of the object.
The to read from.
Type of the object.
The existing value of object being read.
The calling serializer.
The object value.
Determines whether this instance can convert the specified object type.
Type of the object.
true if this instance can convert the specified object type; otherwise, false.
Converts a to and from JSON and BSON.
Writes the JSON representation of the object.
The to write to.
The value.
The calling serializer.
Reads the JSON representation of the object.
The to read from.
Type of the object.
The existing value of object being read.
The calling serializer.
The object value.
Determines whether this instance can convert the specified object type.
Type of the object.
true if this instance can convert the specified object type; otherwise, false.
Converts an to and from its name string value.
Gets or sets a value indicating whether the written enum text should be camel case.
The default value is false.
true if the written enum text will be camel case; otherwise, false.
Gets or sets the naming strategy used to resolve how enum text is written.
The naming strategy used to resolve how enum text is written.
Gets or sets a value indicating whether integer values are allowed when serializing and deserializing.
The default value is true.
true if integers are allowed when serializing and deserializing; otherwise, false.
Initializes a new instance of the class.
Initializes a new instance of the class.
true if the written enum text will be camel case; otherwise, false.
Initializes a new instance of the class.
The naming strategy used to resolve how enum text is written.
true if integers are allowed when serializing and deserializing; otherwise, false.
Initializes a new instance of the class.
The of the used to write enum text.
Initializes a new instance of the class.
The of the used to write enum text.
The parameter list to use when constructing the described by .
If null, the default constructor is used.
When non-null, there must be a constructor defined in the that exactly matches the number,
order, and type of these parameters.
Initializes a new instance of the class.
The of the used to write enum text.
The parameter list to use when constructing the described by .
If null, the default constructor is used.
When non-null, there must be a constructor defined in the that exactly matches the number,
order, and type of these parameters.
true if integers are allowed when serializing and deserializing; otherwise, false.
Writes the JSON representation of the object.
The to write to.
The value.
The calling serializer.
Reads the JSON representation of the object.
The to read from.
Type of the object.
The existing value of object being read.
The calling serializer.
The object value.
Determines whether this instance can convert the specified object type.
Type of the object.
true if this instance can convert the specified object type; otherwise, false.
Converts a to and from Unix epoch time
Writes the JSON representation of the object.
The to write to.
The value.
The calling serializer.
Reads the JSON representation of the object.
The to read from.
Type of the object.
The existing property value of the JSON that is being converted.
The calling serializer.
The object value.
Converts a to and from a string (e.g. "1.2.3.4").
Writes the JSON representation of the object.
The to write to.
The value.
The calling serializer.
Reads the JSON representation of the object.
The to read from.
Type of the object.
The existing property value of the JSON that is being converted.
The calling serializer.
The object value.
Determines whether this instance can convert the specified object type.
Type of the object.
true if this instance can convert the specified object type; otherwise, false.
Specifies how dates are formatted when writing JSON text.
Dates are written in the ISO 8601 format, e.g. "2012-03-21T05:40Z".
Dates are written in the Microsoft JSON format, e.g. "\/Date(1198908717056)\/".
Specifies how date formatted strings, e.g. "\/Date(1198908717056)\/" and "2012-03-21T05:40Z", are parsed when reading JSON text.
Date formatted strings are not parsed to a date type and are read as strings.
Date formatted strings, e.g. "\/Date(1198908717056)\/" and "2012-03-21T05:40Z", are parsed to .
Date formatted strings, e.g. "\/Date(1198908717056)\/" and "2012-03-21T05:40Z", are parsed to .
Specifies how to treat the time value when converting between string and .
Treat as local time. If the object represents a Coordinated Universal Time (UTC), it is converted to the local time.
Treat as a UTC. If the object represents a local time, it is converted to a UTC.
Treat as a local time if a is being converted to a string.
If a string is being converted to , convert to a local time if a time zone is specified.
Time zone information should be preserved when converting.
The default JSON name table implementation.
Initializes a new instance of the class.
Gets the string containing the same characters as the specified range of characters in the given array.
The character array containing the name to find.
The zero-based index into the array specifying the first character of the name.
The number of characters in the name.
Adds the specified string into name table.
The string to add.
This method is not thread-safe.
Specifies default value handling options for the .
[JsonContainer(ItemConverterType = typeof(MyContainerConverter), ItemConverterParameters = new object[] { 123, "Four" })]
Gets or sets the of the .
The of the .
The parameter list to use when constructing the described by .
If null, the default constructor is used.
When non-null, there must be a constructor defined in the that exactly matches the number,
order, and type of these parameters.
[JsonContainer(NamingStrategyType = typeof(MyNamingStrategy), NamingStrategyParameters = new object[] { 123, "Four" })]
Gets or sets a value that indicates whether to preserve object references.
true to keep object reference; otherwise, false. The default is false.
Gets or sets a value that indicates whether to preserve collection's items references.
true to keep collection's items object references; otherwise, false. The default is false.
Gets or sets the reference loop handling used when serializing the collection's items.
The reference loop handling.
Gets or sets the type name handling used when serializing the collection's items.
The type name handling.
Initializes a new instance of the class.
Initializes a new instance of the class with the specified container Id.
The container Id.
Provides methods for converting between .NET types and JSON types.
[JsonProperty(ItemConverterType = typeof(MyContainerConverter), ItemConverterParameters = new object[] { 123, "Four" })]
Gets or sets the of the .
The of the .
The parameter list to use when constructing the described by .
If null, the default constructor is used.
When non-null, there must be a constructor defined in the that exactly matches the number,
order, and type of these parameters.
[JsonProperty(NamingStrategyType = typeof(MyNamingStrategy), NamingStrategyParameters = new object[] { 123, "Four" })]
Gets or sets the null value handling used when serializing this property.
The null value handling.
Gets or sets the default value handling used when serializing this property.
The default value handling.
Gets or sets the reference loop handling used when serializing this property.
The reference loop handling.
Gets or sets the object creation handling used when deserializing this property.
The object creation handling.
Gets or sets the type name handling used when serializing this property.
The type name handling.
Gets or sets whether this property's value is serialized as a reference.
Whether this property's value is serialized as a reference.
Gets or sets the order of serialization of a member.
The numeric order of serialization.
Gets or sets a value indicating whether this property is required.
A value indicating whether this property is required.
Gets or sets the name of the property.
The name of the property.
Gets or sets the reference loop handling used when serializing the property's collection items.
The collection's items reference loop handling.
Gets or sets the type name handling used when serializing the property's collection items.
The collection's items type name handling.
Gets or sets whether this property's collection items are serialized as a reference.
Whether this property's collection items are serialized as a reference.
Initializes a new instance of the class.
Initializes a new instance of the class with the specified name.
Name of the property.
Represents a reader that provides fast, non-cached, forward-only access to serialized JSON data.
Asynchronously reads the next JSON token from the source.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns true if the next token was read successfully; false if there are no more tokens to read.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously skips the children of the current token.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously reads the next JSON token from the source as a of .
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns the of . This result will be null at the end of an array.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously reads the next JSON token from the source as a [].
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns the []. This result will be null at the end of an array.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously reads the next JSON token from the source as a of .
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns the of . This result will be null at the end of an array.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously reads the next JSON token from the source as a of .
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns the of . This result will be null at the end of an array.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously reads the next JSON token from the source as a of .
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns the of . This result will be null at the end of an array.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously reads the next JSON token from the source as a of .
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns the of . This result will be null at the end of an array.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously reads the next JSON token from the source as a of .
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns the of . This result will be null at the end of an array.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously reads the next JSON token from the source as a .
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns the . This result will be null at the end of an array.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Specifies the state of the reader.
A read method has not been called.
The end of the file has been reached successfully.
Reader is at a property.
Reader is at the start of an object.
Reader is in an object.
Reader is at the start of an array.
Reader is in an array.
The method has been called.
Reader has just read a value.
Reader is at the start of a constructor.
Reader is in a constructor.
An error occurred that prevents the read operation from continuing.
The end of the file has been reached successfully.
Gets the current reader state.
The current reader state.
Gets or sets a value indicating whether the source should be closed when this reader is closed.
true to close the source when this reader is closed; otherwise false. The default is true.
Gets or sets a value indicating whether multiple pieces of JSON content can
be read from a continuous stream without erroring.
true to support reading multiple pieces of JSON content; otherwise false.
The default is false.
Gets the quotation mark character used to enclose the value of a string.
Gets or sets how time zones are handled when reading JSON.
Gets or sets how date formatted strings, e.g. "\/Date(1198908717056)\/" and "2012-03-21T05:40Z", are parsed when reading JSON.
Gets or sets how floating point numbers, e.g. 1.0 and 9.9, are parsed when reading JSON text.
Gets or sets how custom date formatted strings are parsed when reading JSON.
Gets or sets the maximum depth allowed when reading JSON. Reading past this depth will throw a .
Gets the type of the current JSON token.
Gets the text value of the current JSON token.
Gets the .NET type for the current JSON token.
Gets the depth of the current token in the JSON document.
The depth of the current token in the JSON document.
Gets the path of the current JSON token.
Gets or sets the culture used when reading JSON. Defaults to .
Initializes a new instance of the class.
Reads the next JSON token from the source.
true if the next token was read successfully; false if there are no more tokens to read.
Reads the next JSON token from the source as a of .
A of . This method will return null at the end of an array.
Reads the next JSON token from the source as a .
A . This method will return null at the end of an array.
Reads the next JSON token from the source as a [].
A [] or null if the next JSON token is null. This method will return null at the end of an array.
Reads the next JSON token from the source as a of .
A of . This method will return null at the end of an array.
Reads the next JSON token from the source as a of .
A of . This method will return null at the end of an array.
Reads the next JSON token from the source as a of .
A of . This method will return null at the end of an array.
Reads the next JSON token from the source as a of .
A of . This method will return null at the end of an array.
Reads the next JSON token from the source as a of .
A of . This method will return null at the end of an array.
Skips the children of the current token.
Sets the current token.
The new token.
Sets the current token and value.
The new token.
The value.
Sets the current token and value.
The new token.
The value.
A flag indicating whether the position index inside an array should be updated.
Sets the state based on current token type.
Releases unmanaged and - optionally - managed resources.
true to release both managed and unmanaged resources; false to release only unmanaged resources.
Changes the reader's state to .
If is set to true, the source is also closed.
The exception thrown when an error occurs while reading JSON text.
Gets the line number indicating where the error occurred.
The line number indicating where the error occurred.
Gets the line position indicating where the error occurred.
The line position indicating where the error occurred.
Gets the path to the JSON where the error occurred.
The path to the JSON where the error occurred.
Initializes a new instance of the class.
Initializes a new instance of the class
with a specified error message.
The error message that explains the reason for the exception.
Initializes a new instance of the class
with a specified error message and a reference to the inner exception that is the cause of this exception.
The error message that explains the reason for the exception.
The exception that is the cause of the current exception, or null if no inner exception is specified.
Initializes a new instance of the class
with a specified error message, JSON path, line number, line position, and a reference to the inner exception that is the cause of this exception.
The error message that explains the reason for the exception.
The path to the JSON where the error occurred.
The line number indicating where the error occurred.
The line position indicating where the error occurred.
The exception that is the cause of the current exception, or null if no inner exception is specified.
Instructs the to always serialize the member, and to require that the member has a value.
The exception thrown when an error occurs during JSON serialization or deserialization.
Gets the line number indicating where the error occurred.
The line number indicating where the error occurred.
Gets the line position indicating where the error occurred.
The line position indicating where the error occurred.
Gets the path to the JSON where the error occurred.
The path to the JSON where the error occurred.
Initializes a new instance of the class.
Initializes a new instance of the class
with a specified error message.
The error message that explains the reason for the exception.
Initializes a new instance of the class
with a specified error message and a reference to the inner exception that is the cause of this exception.
The error message that explains the reason for the exception.
The exception that is the cause of the current exception, or null if no inner exception is specified.
Initializes a new instance of the class
with a specified error message, JSON path, line number, line position, and a reference to the inner exception that is the cause of this exception.
The error message that explains the reason for the exception.
The path to the JSON where the error occurred.
The line number indicating where the error occurred.
The line position indicating where the error occurred.
The exception that is the cause of the current exception, or null if no inner exception is specified.
Serializes and deserializes objects into and from the JSON format.
The enables you to control how objects are encoded into JSON.
Occurs when the errors during serialization and deserialization.
Gets or sets the used by the serializer when resolving references.
Gets or sets the used by the serializer when resolving type names.
Gets or sets the used by the serializer when writing trace messages.
The trace writer.
Gets or sets the equality comparer used by the serializer when comparing references.
The equality comparer.
Gets or sets how type name writing and reading is handled by the serializer.
The default value is .
should be used with caution when your application deserializes JSON from an external source.
Incoming types should be validated with a custom
when deserializing with a value other than .
Gets or sets how a type name assembly is written and resolved by the serializer.
The default value is .
The type name assembly format.
Gets or sets how a type name assembly is written and resolved by the serializer.
The default value is .
The type name assembly format.
Gets or sets how object references are preserved by the serializer.
The default value is .
Gets or sets how reference loops (e.g. a class referencing itself) is handled.
The default value is .
Gets or sets how missing members (e.g. JSON contains a property that isn't a member on the object) are handled during deserialization.
The default value is .
Gets or sets how null values are handled during serialization and deserialization.
The default value is .
Gets or sets how default values are handled during serialization and deserialization.
The default value is .
Gets or sets how objects are created during deserialization.
The default value is .
The object creation handling.
Gets or sets how constructors are used during deserialization.
The default value is .
The constructor handling.
Gets or sets how metadata properties are used during deserialization.
The default value is .
The metadata properties handling.
Gets a collection that will be used during serialization.
Collection that will be used during serialization.
Gets or sets the contract resolver used by the serializer when
serializing .NET objects to JSON and vice versa.
Gets or sets the used by the serializer when invoking serialization callback methods.
The context.
Indicates how JSON text output is formatted.
The default value is .
Gets or sets how dates are written to JSON text.
The default value is .
Gets or sets how time zones are handled during serialization and deserialization.
The default value is .
Gets or sets how date formatted strings, e.g. "\/Date(1198908717056)\/" and "2012-03-21T05:40Z", are parsed when reading JSON.
The default value is .
Gets or sets how floating point numbers, e.g. 1.0 and 9.9, are parsed when reading JSON text.
The default value is .
Gets or sets how special floating point numbers, e.g. ,
and ,
are written as JSON text.
The default value is .
Gets or sets how strings are escaped when writing JSON text.
The default value is .
Gets or sets how and values are formatted when writing JSON text,
and the expected date format when reading JSON text.
The default value is "yyyy'-'MM'-'dd'T'HH':'mm':'ss.FFFFFFFK".
Gets or sets the culture used when reading JSON.
The default value is .
Gets or sets the maximum depth allowed when reading JSON. Reading past this depth will throw a .
A null value means there is no maximum.
The default value is null.
Gets a value indicating whether there will be a check for additional JSON content after deserializing an object.
The default value is false.
true if there will be a check for additional JSON content after deserializing an object; otherwise, false.
Initializes a new instance of the class.
Creates a new instance.
The will not use default settings
from .
A new instance.
The will not use default settings
from .
Creates a new instance using the specified .
The will not use default settings
from .
The settings to be applied to the .
A new instance using the specified .
The will not use default settings
from .
Creates a new instance.
The will use default settings
from .
A new instance.
The will use default settings
from .
Creates a new instance using the specified .
The will use default settings
from as well as the specified .
The settings to be applied to the .
A new instance using the specified .
The will use default settings
from as well as the specified .
Populates the JSON values onto the target object.
The that contains the JSON structure to read values from.
The target object to populate values onto.
Populates the JSON values onto the target object.
The that contains the JSON structure to read values from.
The target object to populate values onto.
Deserializes the JSON structure contained by the specified .
The that contains the JSON structure to deserialize.
The being deserialized.
Deserializes the JSON structure contained by the specified
into an instance of the specified type.
The containing the object.
The of object being deserialized.
The instance of being deserialized.
Deserializes the JSON structure contained by the specified
into an instance of the specified type.
The containing the object.
The type of the object to deserialize.
The instance of being deserialized.
Deserializes the JSON structure contained by the specified
into an instance of the specified type.
The containing the object.
The of object being deserialized.
The instance of being deserialized.
Serializes the specified and writes the JSON structure
using the specified .
The used to write the JSON structure.
The to serialize.
Serializes the specified and writes the JSON structure
using the specified .
The used to write the JSON structure.
The to serialize.
The type of the value being serialized.
This parameter is used when is to write out the type name if the type of the value does not match.
Specifying the type is optional.
Serializes the specified and writes the JSON structure
using the specified .
The used to write the JSON structure.
The to serialize.
The type of the value being serialized.
This parameter is used when is Auto to write out the type name if the type of the value does not match.
Specifying the type is optional.
Serializes the specified and writes the JSON structure
using the specified .
The used to write the JSON structure.
The to serialize.
Specifies the settings on a object.
Gets or sets how reference loops (e.g. a class referencing itself) are handled.
The default value is .
Reference loop handling.
Gets or sets how missing members (e.g. JSON contains a property that isn't a member on the object) are handled during deserialization.
The default value is .
Missing member handling.
Gets or sets how objects are created during deserialization.
The default value is .
The object creation handling.
Gets or sets how null values are handled during serialization and deserialization.
The default value is .
Null value handling.
Gets or sets how default values are handled during serialization and deserialization.
The default value is .
The default value handling.
Gets or sets a collection that will be used during serialization.
The converters.
Gets or sets how object references are preserved by the serializer.
The default value is .
The preserve references handling.
Gets or sets how type name writing and reading is handled by the serializer.
The default value is .
should be used with caution when your application deserializes JSON from an external source.
Incoming types should be validated with a custom
when deserializing with a value other than .
The type name handling.
Gets or sets how metadata properties are used during deserialization.
The default value is .
The metadata properties handling.
Gets or sets how a type name assembly is written and resolved by the serializer.
The default value is .
The type name assembly format.
Gets or sets how a type name assembly is written and resolved by the serializer.
The default value is .
The type name assembly format.
Gets or sets how constructors are used during deserialization.
The default value is .
The constructor handling.
Gets or sets the contract resolver used by the serializer when
serializing .NET objects to JSON and vice versa.
The contract resolver.
Gets or sets the equality comparer used by the serializer when comparing references.
The equality comparer.
Gets or sets the used by the serializer when resolving references.
The reference resolver.
Gets or sets a function that creates the used by the serializer when resolving references.
A function that creates the used by the serializer when resolving references.
Gets or sets the used by the serializer when writing trace messages.
The trace writer.
Gets or sets the used by the serializer when resolving type names.
The binder.
Gets or sets the error handler called during serialization and deserialization.
The error handler called during serialization and deserialization.
Gets or sets the used by the serializer when invoking serialization callback methods.
The context.
Gets or sets how and values are formatted when writing JSON text,
and the expected date format when reading JSON text.
The default value is "yyyy'-'MM'-'dd'T'HH':'mm':'ss.FFFFFFFK".
Gets or sets the maximum depth allowed when reading JSON. Reading past this depth will throw a .
A null value means there is no maximum.
The default value is null.
Indicates how JSON text output is formatted.
The default value is .
Gets or sets how dates are written to JSON text.
The default value is .
Gets or sets how time zones are handled during serialization and deserialization.
The default value is .
Gets or sets how date formatted strings, e.g. "\/Date(1198908717056)\/" and "2012-03-21T05:40Z", are parsed when reading JSON.
The default value is .
Gets or sets how special floating point numbers, e.g. ,
and ,
are written as JSON.
The default value is .
Gets or sets how floating point numbers, e.g. 1.0 and 9.9, are parsed when reading JSON text.
The default value is .
Gets or sets how strings are escaped when writing JSON text.
The default value is .
Gets or sets the culture used when reading JSON.
The default value is .
Gets a value indicating whether there will be a check for additional content after deserializing an object.
The default value is false.
true if there will be a check for additional content after deserializing an object; otherwise, false.
Initializes a new instance of the class.
Represents a reader that provides fast, non-cached, forward-only access to JSON text data.
Asynchronously reads the next JSON token from the source.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns true if the next token was read successfully; false if there are no more tokens to read.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously reads the next JSON token from the source as a of .
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns the of . This result will be null at the end of an array.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously reads the next JSON token from the source as a [].
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns the []. This result will be null at the end of an array.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously reads the next JSON token from the source as a of .
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns the of . This result will be null at the end of an array.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously reads the next JSON token from the source as a of .
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns the of . This result will be null at the end of an array.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously reads the next JSON token from the source as a of .
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns the of . This result will be null at the end of an array.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously reads the next JSON token from the source as a of .
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns the of . This result will be null at the end of an array.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously reads the next JSON token from the source as a of .
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns the of . This result will be null at the end of an array.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously reads the next JSON token from the source as a .
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous read. The
property returns the . This result will be null at the end of an array.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Initializes a new instance of the class with the specified .
The containing the JSON data to read.
Gets or sets the reader's property name table.
Gets or sets the reader's character buffer pool.
Reads the next JSON token from the underlying .
true if the next token was read successfully; false if there are no more tokens to read.
Reads the next JSON token from the underlying as a of .
A of . This method will return null at the end of an array.
Reads the next JSON token from the underlying as a of .
A of . This method will return null at the end of an array.
Reads the next JSON token from the underlying as a .
A . This method will return null at the end of an array.
Reads the next JSON token from the underlying as a [].
A [] or null if the next JSON token is null. This method will return null at the end of an array.
Reads the next JSON token from the underlying as a of .
A of . This method will return null at the end of an array.
Reads the next JSON token from the underlying as a of .
A of . This method will return null at the end of an array.
Reads the next JSON token from the underlying as a of .
A of . This method will return null at the end of an array.
Reads the next JSON token from the underlying as a of .
A of . This method will return null at the end of an array.
Changes the reader's state to .
If is set to true, the underlying is also closed.
Gets a value indicating whether the class can return line information.
true if and can be provided; otherwise, false.
Gets the current line number.
The current line number or 0 if no line information is available (for example, returns false).
Gets the current line position.
The current line position or 0 if no line information is available (for example, returns false).
Represents a writer that provides a fast, non-cached, forward-only way of generating JSON data.
Asynchronously flushes whatever is in the buffer to the destination and also flushes the destination.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes the JSON value delimiter.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes the specified end token.
The end token to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously closes this writer.
If is set to true, the destination is also closed.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes the end of the current JSON object or array.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes indent characters.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes an indent space.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes raw JSON without changing the writer's state.
The raw JSON to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a null value.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes the property name of a name/value pair of a JSON object.
The name of the property.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes the property name of a name/value pair of a JSON object.
The name of the property.
A flag to indicate whether the text should be escaped when it is written as a JSON property name.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes the beginning of a JSON array.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes the beginning of a JSON object.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes the start of a constructor with the given name.
The name of the constructor.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes an undefined value.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes the given white space.
The string of white space characters.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a [] value.
The [] value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes a comment /*...*/ containing the specified text.
Text to place inside the comment.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes the end of an array.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes the end of a constructor.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes the end of a JSON object.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Asynchronously writes raw JSON where a value is expected and updates the writer's state.
The raw JSON to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
Derived classes must override this method to get asynchronous behaviour. Otherwise it will
execute synchronously, returning an already-completed task.
Gets or sets the writer's character array pool.
Gets or sets how many s to write for each level in the hierarchy when is set to .
Gets or sets which character to use to quote attribute values.
Gets or sets which character to use for indenting when is set to .
Gets or sets a value indicating whether object names will be surrounded with quotes.
Initializes a new instance of the class using the specified .
The to write to.
Flushes whatever is in the buffer to the underlying and also flushes the underlying .
Closes this writer.
If is set to true, the underlying is also closed.
If is set to true, the JSON is auto-completed.
Writes the beginning of a JSON object.
Writes the beginning of a JSON array.
Writes the start of a constructor with the given name.
The name of the constructor.
Writes the specified end token.
The end token to write.
Writes the property name of a name/value pair on a JSON object.
The name of the property.
Writes the property name of a name/value pair on a JSON object.
The name of the property.
A flag to indicate whether the text should be escaped when it is written as a JSON property name.
Writes indent characters.
Writes the JSON value delimiter.
Writes an indent space.
Writes a value.
An error will raised if the value cannot be written as a single JSON token.
The value to write.
Writes a null value.
Writes an undefined value.
Writes raw JSON.
The raw JSON to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a of value.
The of value to write.
Writes a value.
The value to write.
Writes a of value.
The of value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a [] value.
The [] value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a comment /*...*/ containing the specified text.
Text to place inside the comment.
Writes the given white space.
The string of white space characters.
Specifies the type of JSON token.
This is returned by the if a read method has not been called.
An object start token.
An array start token.
A constructor start token.
An object property name.
A comment.
Raw JSON.
An integer.
A float.
A string.
A boolean.
A null token.
An undefined token.
An object end token.
An array end token.
A constructor end token.
A Date.
Byte data.
Represents a reader that provides validation.
JSON Schema validation has been moved to its own package. See https://www.newtonsoft.com/jsonschema for more details.
Sets an event handler for receiving schema validation errors.
Gets the text value of the current JSON token.
Gets the depth of the current token in the JSON document.
The depth of the current token in the JSON document.
Gets the path of the current JSON token.
Gets the quotation mark character used to enclose the value of a string.
Gets the type of the current JSON token.
Gets the .NET type for the current JSON token.
Initializes a new instance of the class that
validates the content returned from the given .
The to read from while validating.
Gets or sets the schema.
The schema.
Gets the used to construct this .
The specified in the constructor.
Changes the reader's state to .
If is set to true, the underlying is also closed.
Reads the next JSON token from the underlying as a of .
A of .
Reads the next JSON token from the underlying as a [].
A [] or null if the next JSON token is null.
Reads the next JSON token from the underlying as a of .
A of .
Reads the next JSON token from the underlying as a of .
A of .
Reads the next JSON token from the underlying as a of .
A of .
Reads the next JSON token from the underlying as a .
A . This method will return null at the end of an array.
Reads the next JSON token from the underlying as a of .
A of . This method will return null at the end of an array.
Reads the next JSON token from the underlying as a of .
A of .
Reads the next JSON token from the underlying .
true if the next token was read successfully; false if there are no more tokens to read.
Represents a writer that provides a fast, non-cached, forward-only way of generating JSON data.
Asynchronously closes this writer.
If is set to true, the destination is also closed.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously flushes whatever is in the buffer to the destination and also flushes the destination.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes the specified end token.
The end token to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes indent characters.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes the JSON value delimiter.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes an indent space.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes raw JSON without changing the writer's state.
The raw JSON to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes the end of the current JSON object or array.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes the end of an array.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes the end of a constructor.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes the end of a JSON object.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a null value.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes the property name of a name/value pair of a JSON object.
The name of the property.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes the property name of a name/value pair of a JSON object.
The name of the property.
A flag to indicate whether the text should be escaped when it is written as a JSON property name.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes the beginning of a JSON array.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a comment /*...*/ containing the specified text.
Text to place inside the comment.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes raw JSON where a value is expected and updates the writer's state.
The raw JSON to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes the start of a constructor with the given name.
The name of the constructor.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes the beginning of a JSON object.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes the current token.
The to read the token from.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes the current token.
The to read the token from.
A flag indicating whether the current token's children should be written.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes the token and its value.
The to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes the token and its value.
The to write.
The value to write.
A value is only required for tokens that have an associated value, e.g. the property name for .
null can be passed to the method for tokens that don't have a value, e.g. .
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a [] value.
The [] value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a value.
The value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes a of value.
The of value to write.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes an undefined value.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously writes the given white space.
The string of white space characters.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Asynchronously ets the state of the .
The being written.
The value being written.
The token to monitor for cancellation requests. The default value is .
A that represents the asynchronous operation.
The default behaviour is to execute synchronously, returning an already-completed task. Derived
classes can override this behaviour for true asynchronicity.
Gets or sets a value indicating whether the destination should be closed when this writer is closed.
true to close the destination when this writer is closed; otherwise false. The default is true.
Gets or sets a value indicating whether the JSON should be auto-completed when this writer is closed.
true to auto-complete the JSON when this writer is closed; otherwise false. The default is true.
Gets the top.
The top.
Gets the state of the writer.
Gets the path of the writer.
Gets or sets a value indicating how JSON text output should be formatted.
Gets or sets how dates are written to JSON text.
Gets or sets how time zones are handled when writing JSON text.
Gets or sets how strings are escaped when writing JSON text.
Gets or sets how special floating point numbers, e.g. ,
and ,
are written to JSON text.
Gets or sets how and values are formatted when writing JSON text.
Gets or sets the culture used when writing JSON. Defaults to .
Initializes a new instance of the class.
Flushes whatever is in the buffer to the destination and also flushes the destination.
Closes this writer.
If is set to true, the destination is also closed.
If is set to true, the JSON is auto-completed.
Writes the beginning of a JSON object.
Writes the end of a JSON object.
Writes the beginning of a JSON array.
Writes the end of an array.
Writes the start of a constructor with the given name.
The name of the constructor.
Writes the end constructor.
Writes the property name of a name/value pair of a JSON object.
The name of the property.
Writes the property name of a name/value pair of a JSON object.
The name of the property.
A flag to indicate whether the text should be escaped when it is written as a JSON property name.
Writes the end of the current JSON object or array.
Writes the current token and its children.
The to read the token from.
Writes the current token.
The to read the token from.
A flag indicating whether the current token's children should be written.
Writes the token and its value.
The to write.
The value to write.
A value is only required for tokens that have an associated value, e.g. the property name for .
null can be passed to the method for tokens that don't have a value, e.g. .
Writes the token.
The to write.
Writes the specified end token.
The end token to write.
Writes indent characters.
Writes the JSON value delimiter.
Writes an indent space.
Writes a null value.
Writes an undefined value.
Writes raw JSON without changing the writer's state.
The raw JSON to write.
Writes raw JSON where a value is expected and updates the writer's state.
The raw JSON to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a value.
The value to write.
Writes a of value.
The of value to write.
Writes a of value.
The of value to write.
Writes a of value.
The of value to write.
Writes a of value.
The of value to write.
Writes a of value.
The of value to write.
Writes a of value.
The of value to write.
Writes a of value.
The of value to write.
Writes a of value.
The of value to write.
Writes a of value.
The of value to write.
Writes a of value.
The of value to write.
Writes a of value.
The of value to write.
Writes a of value.
The of value to write.
Writes a of value.
The of value to write.
Writes a of value.
The of value to write.
Writes a of value.
The of value to write.
Writes a of value.
The of value to write.
Writes a of value.
The of value to write.
Writes a [] value.
The [] value to write.
Writes a value.
The value to write.
Writes a value.
An error will raised if the value cannot be written as a single JSON token.
The value to write.
Writes a comment /*...*/ containing the specified text.
Text to place inside the comment.
Writes the given white space.
The string of white space characters.
Releases unmanaged and - optionally - managed resources.
true to release both managed and unmanaged resources; false to release only unmanaged resources.
Sets the state of the .
The being written.
The value being written.
The exception thrown when an error occurs while writing JSON text.
Gets the path to the JSON where the error occurred.
The path to the JSON where the error occurred.
Initializes a new instance of the class.
Initializes a new instance of the class
with a specified error message.
The error message that explains the reason for the exception.
Initializes a new instance of the class
with a specified error message and a reference to the inner exception that is the cause of this exception.
The error message that explains the reason for the exception.
The exception that is the cause of the current exception, or null if no inner exception is specified.
Initializes a new instance of the class
with a specified error message, JSON path and a reference to the inner exception that is the cause of this exception.
The error message that explains the reason for the exception.
The path to the JSON where the error occurred.
The exception that is the cause of the current exception, or null if no inner exception is specified.
Specifies how JSON comments are handled when loading JSON.
Ignore comments.
Load comments as a with type .
Contains the LINQ to JSON extension methods.
Returns a collection of tokens that contains the ancestors of every token in the source collection.
The type of the objects in source, constrained to .
An of that contains the source collection.
An of that contains the ancestors of every token in the source collection.
Returns a collection of tokens that contains every token in the source collection, and the ancestors of every token in the source collection.
The type of the objects in source, constrained to .
An of that contains the source collection.
An of that contains every token in the source collection, the ancestors of every token in the source collection.
Returns a collection of tokens that contains the descendants of every token in the source collection.
The type of the objects in source, constrained to .
An of that contains the source collection.
An of that contains the descendants of every token in the source collection.
Returns a collection of tokens that contains every token in the source collection, and the descendants of every token in the source collection.
The type of the objects in source, constrained to .
An of that contains the source collection.
An of that contains every token in the source collection, and the descendants of every token in the source collection.
Returns a collection of child properties of every object in the source collection.
An of that contains the source collection.
An of that contains the properties of every object in the source collection.
Returns a collection of child values of every object in the source collection with the given key.
An of that contains the source collection.
The token key.
An of that contains the values of every token in the source collection with the given key.
Returns a collection of child values of every object in the source collection.
An of that contains the source collection.
An of that contains the values of every token in the source collection.
Returns a collection of converted child values of every object in the source collection with the given key.
The type to convert the values to.
An of that contains the source collection.
The token key.
An that contains the converted values of every token in the source collection with the given key.
Returns a collection of converted child values of every object in the source collection.
The type to convert the values to.
An of that contains the source collection.
An that contains the converted values of every token in the source collection.
Converts the value.
The type to convert the value to.
A cast as a of .
A converted value.
Converts the value.
The source collection type.
The type to convert the value to.
A cast as a of .
A converted value.
Returns a collection of child tokens of every array in the source collection.
The source collection type.
An of that contains the source collection.
An of that contains the values of every token in the source collection.
Returns a collection of converted child tokens of every array in the source collection.
An of that contains the source collection.
The type to convert the values to.
The source collection type.
An that contains the converted values of every token in the source collection.
Returns the input typed as .
An of that contains the source collection.
The input typed as .
Returns the input typed as .
The source collection type.
An of that contains the source collection.
The input typed as .
Represents a collection of objects.
The type of token.
Gets the of with the specified key.
Represents a JSON array.