[Feature Request] Overloaded GetForUserAsync that takes a JsonTypeInfo<T> as a parameter to enable source generated Json deserialization (For NativeAOT compliance)

[dualtagh]

Is your feature request related to a problem? Please describe.
microsoft-identity-web emits NativeAOT trim warnings when GetForUserAsync is called from a NativeAOT compiled library. This is caused by using generics for JSON serialization/deserialization in DownstreamApi.cs.

ILC : Trim analysis error IL2026: Microsoft.Identity.Web.DownstreamApi.<DeserializeOutput>d__17`1.MoveNext(): Using member 'System.Text.Json.JsonSerializer.Deserialize<TOutput>(String,JsonSerializerOptions)' which has 'RequiresUnreferencedCodeAttribute' can break functionality when trimming application code. JSON serialization and deserialization might require types that cannot be statically analyzed. Use the overload that takes a JsonTypeInfo or JsonSerializerContext, or make sure all of the required types are preserved.

Describe the solution you'd like
Public interfaces (particularly GetForUserAsync) should accept a JsonTypeInfo so that source generation can be used for Json serialization in a NativeAOT context.
Existing interfaces should be marked with the [RequiresUnreferencedCode] attribute. New interfaces that accept JsonTypeInfo should be made available only for net8+.

Example change for IDownstreamApi:

 [RequiresUnreferencedCode]
public Task<TOutput?> GetForUserAsync<TOutput>(
    string? serviceName,
    Action<DownstreamApiOptionsReadOnlyHttpMethod>? downstreamApiOptionsOverride = null,
    ClaimsPrincipal? user = null,
    CancellationToken cancellationToken = default) where TOutput : class;

public Task<TOutput?> GetForUserAsync<TOutput>(
    string? serviceName,
    JsonTypeInfo<TOutput> responseJsonTypeInfo,
    Action<DownstreamApiOptionsReadOnlyHttpMethod>? downstreamApiOptionsOverride = null,
    ClaimsPrincipal? user = null,
    CancellationToken cancellationToken = default) where TOutput : class;

Describe alternatives you've considered
Open to suggestions

Additional context
There is a short term need for GetForUserAsync to be NativeAOT compliant - but there are other interfaces with AOT warnings that could require similar changes. Will follow up with more details on this

[keegan-caruso]

This sounds right. Only question I have is how many of the other interfaces should we patch in the same release.

[dualtagh]

@keegan-caruso
These are the other interfaces that have AOT warnings for Json serialization. I could use some help understanding if these should be patched too?
The fix would be the same as above - providing an overload with JsonTypeInfo.

DownstreamApi.cs
CallApiForAppAsync<TInput, TOutput>
CallApiForUserAsync
CallApiForAppAsync<TInput, TOutput>

DownstreamApi.HttpMethods.cs
GetForUserAsync
GetForUserAsync<TInput, TOutput>
GetForAppAsync
GetForAppAsync<TInput, TOutput>
PostForUserAsync<TInput, TOutput>
PostForAppAsync<TInput, TOutput>
PutForUserAsync<TInput, TOutput>
PutForAppAsync<TInput, TOutput>
PatchForUserAsync<TInput, TOutput>
PatchForAppAsync<TInput, TOutput>
DeleteForUserAsync<TInput, TOutput>
DeleteForAppAsync<TInput, TOutput>

DownstreamWebApiGenericExtensions.cs
GetForUserAsync

Microsoft.Identity.Web.TokenAcquisition\TokenAcquisition.cs
AddAccountToCacheFromAuthorizationCodeAsync

Microsoft.Identity.Web\WebAppExtensions\MicrosoftIdentityWebAppAuthenticationBuilder.cs
WebAppCallsWebApiImplementation

[jmprieur]

the ones in DownstreamApi.cs and DownstreamApi.HttpMethods.cs should be
if we can patch for DownstreamWebApiGenericExtensions.cs this would be great.

I would not do it for the last two:

• AddAccountToCacheFromAuthorizationCodeAsync is not used in web APIs (it's for web apps).
• same for the last one it's for web apps. Do we use it in Mise native?

[bgavrilMS]

Just curious how this was fixed? I see a draft PR still open for this topic.

[dualtagh]

This is still open - the prerequisite PR in abstractions has been merged and release but this PR implements the changes in microsoft-identity-web #2959