Bug fixes
- Preserve
ManagedIdentitywhen convertingAcquireTokenOptionstoTokenAcquisitionOptionsinTokenAcquirer. Previously theITokenAcquirer.GetTokenForAppAsync/GetTokenForUserAsyncpaths silently droppedManagedIdentityand fell back to the confidential-client path, breaking managed-identity mTLS PoP (e.g. MISE Native). See #3914.
Behavior changes
- Sidecar: outbound HTTP redirects suppressed by default. The sidecar no longer follows outbound HTTP redirects; a new opt-in
Sidecar:AllowOutboundRedirectsflag (defaultfalse) restores the previous behavior. See #3906. - Sidecar: per-request isolation of downstream API options. Downstream API options resolved from the singleton
IOptionsMonitorare now cloned per request (including freshExtraParameters/ExtraHeaderParameters/ExtraQueryParametersdictionaries), preventing request-scoped values from leaking across requests or racing under concurrency. See #3919.