AzureAD · soodt · Jun 3, 2026 · Jun 8, 2026 · Jun 8, 2026 · Jun 8, 2026
@@ -60,7 +60,7 @@ jobs:
 
 
     - name: Test with .NET 10.0.x
-      run: dotnet test --no-restore --no-build Microsoft.Identity.Web.sln -f net10.0 -v m -p:FROM_GITHUB_ACTION=true --configuration Release --collect "Xplat Code Coverage" --filter "(FullyQualifiedName!~Microsoft.Identity.Web.Test.Integration)&(FullyQualifiedName!~WebAppUiTests)&(FullyQualifiedName!~IntegrationTests)&(FullyQualifiedName!~TokenAcquirerTests)"
+      run: dotnet test --no-restore --no-build Microsoft.Identity.Web.sln -f net10.0 -v m -p:FROM_GITHUB_ACTION=true --configuration Release --collect "Xplat Code Coverage" --filter "(FullyQualifiedName!~Microsoft.Identity.Web.Test.Integration)&(FullyQualifiedName!~WebAppUiTests)&(FullyQualifiedName!~IntegrationTests)&(FullyQualifiedName!~TokenAcquirerTests)&(FullyQualifiedName!~SidecarEndpointsE2ETests)"
 
     - name: Create code coverage report
       run: |

@@ -1,10 +1,10 @@
 <Project>
   <Import Project="$([MSBuild]::GetPathOfFileAbove('Directory.Build.props', '$(MSBuildThisFileDirectory)../'))" />
   <PropertyGroup>
-    <TargetFrameworks>net9.0</TargetFrameworks>
+    <TargetFrameworks>net10.0</TargetFrameworks>
   </PropertyGroup>
   <PropertyGroup>
-    <SidecarAspDependencyVersion>9.0.9</SidecarAspDependencyVersion>
+    <SidecarAspDependencyVersion>10.0.0</SidecarAspDependencyVersion>
     <MicrosoftAspNetCoreOpenApiVersion>$(SidecarAspDependencyVersion)</MicrosoftAspNetCoreOpenApiVersion>
     <MicrosoftExtensionsApiDescriptionServerVersion>$(SidecarAspDependencyVersion)</MicrosoftExtensionsApiDescriptionServerVersion>
     <MicrosoftVisualStudioAzureContainersToolsTargetsVersion>1.22.1</MicrosoftVisualStudioAzureContainersToolsTargetsVersion>

@@ -1,7 +1,7 @@
 # This docker file is used for building the container image from a published set of files.
 # This is used when for workflows where the files need to be signed in CI/CD.
 
-FROM mcr.microsoft.com/dotnet/aspnet:9.0-nanoserver-ltsc2022 AS base
+FROM mcr.microsoft.com/dotnet/aspnet:10.0-nanoserver-ltsc2022 AS base
 WORKDIR /app
 
 COPY app/publish .

@@ -3,12 +3,12 @@
 # See https://aka.ms/customizecontainer to learn how to customize your debug container and how Visual Studio uses this Dockerfile to build your images for faster debugging.
 
 # This stage is used when running from VS in fast mode (Default for Debug configuration)
-FROM mcr.microsoft.com/dotnet/aspnet:9.0 AS base
+FROM mcr.microsoft.com/dotnet/aspnet:10.0 AS base
 USER $APP_UID
 WORKDIR /app
 
 # This stage is used to build the service project
-FROM mcr.microsoft.com/dotnet/sdk:9.0 AS build
+FROM mcr.microsoft.com/dotnet/sdk:10.0 AS build
 ARG BUILD_CONFIGURATION=Release
 WORKDIR /src
 COPY ["Microsoft.Identity.Web.Sidecar.csproj", "."]

@@ -1,7 +1,7 @@
 # This docker file is used for building the container image from a published set of files.
 # This is used when for workflows where the files need to be signed in CI/CD.
 
-FROM mcr.microsoft.com/dotnet/aspnet:9.0-azurelinux3.0-distroless AS base
+FROM mcr.microsoft.com/dotnet/aspnet:10.0-azurelinux3.0-distroless AS base
 WORKDIR /app
 
 COPY app/publish .

@@ -1,28 +1,30 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-using Microsoft.OpenApi.Models;
+using Microsoft.OpenApi;
 
 namespace Microsoft.Identity.Web.Sidecar;
 
 internal static class OpenApiDescriptions
 {
     internal static void AddOptionsOverrideParameters(OpenApiOperation op)
     {
+        op.Parameters ??= [];
+
         // Scopes (repeatable)
         op.Parameters.Add(new OpenApiParameter
         {
             Name = "optionsOverride.Scopes",
             In = ParameterLocation.Query,
             Description = "Repeatable. Each occurrence adds one scope. Example: optionsOverride.Scopes=User.Read",
             Required = false,
-            Schema = new OpenApiSchema { Type = "string" },
+            Schema = new OpenApiSchema { Type = JsonSchemaType.String },
             Explode = true,
             Style = ParameterStyle.Form
         });
 
         // Core boolean / simple toggles
-        AddSimple(op, "optionsOverride.RequestAppToken", "boolean", "true = acquire an app (client credentials) token instead of user token.");
+        AddSimple(op, "optionsOverride.RequestAppToken", JsonSchemaType.Boolean, "true = acquire an app (client credentials) token instead of user token.");
 
         // Base request shaping
         op.Parameters.Add(new OpenApiParameter
@@ -32,28 +34,29 @@ internal static void AddOptionsOverrideParameters(OpenApiOperation op)
             Description = "Ignored. The downstream BaseUrl is fixed by host configuration and cannot be overridden via optionsOverride.",
             Required = false,
             Deprecated = true,
-            Schema = new OpenApiSchema { Type = "string" }
+            Schema = new OpenApiSchema { Type = JsonSchemaType.String }
         });
-        AddSimple(op, "optionsOverride.RelativePath", "string", "Override relative path appended to BaseUrl.");
-        AddSimple(op, "optionsOverride.HttpMethod", "string", "Override HTTP method (GET, POST, PATCH, etc.).");
-        AddSimple(op, "optionsOverride.AcceptHeader", "string", "Sets Accept header (e.g. application/json).");
-        AddSimple(op, "optionsOverride.ContentType", "string", "Sets Content-Type used for serialized body (if body provided).");
+        AddSimple(op, "optionsOverride.RelativePath", JsonSchemaType.String, "Override relative path appended to BaseUrl.");
+        AddSimple(op, "optionsOverride.HttpMethod", JsonSchemaType.String, "Override HTTP method (GET, POST, PATCH, etc.).");
+        AddSimple(op, "optionsOverride.AcceptHeader", JsonSchemaType.String, "Sets Accept header (e.g. application/json).");
+        AddSimple(op, "optionsOverride.ContentType", JsonSchemaType.String, "Sets Content-Type used for serialized body (if body provided).");
 
         // AcquireTokenOptions.* (token acquisition tuning)
-        AddAcquireTokenOption(op, "Tenant", "Override tenant (GUID or 'common').");
-        AddAcquireTokenOption(op, "ForceRefresh", "boolean", "true = bypass token cache.");
-        AddAcquireTokenOption(op, "Claims", "JSON claims challenge or extra claims.");
-        AddAcquireTokenOption(op, "CorrelationId", "GUID correlation id for token acquisition.");
-        AddAcquireTokenOption(op, "LongRunningWebApiSessionKey", "Session key for long running OBO flows.");
-        AddAcquireTokenOption(op, "FmiPath", "Federated Managed Identity path (if using FMI).");
-        AddAcquireTokenOption(op, "PopPublicKey", "Public key or JWK for PoP / AT-POP requests.");
+        AddAcquireTokenOption(op, "Tenant", JsonSchemaType.String, "Override tenant (GUID or 'common').");
+        AddAcquireTokenOption(op, "ForceRefresh", JsonSchemaType.Boolean, "true = bypass token cache.");
+        AddAcquireTokenOption(op, "Claims", JsonSchemaType.String, "JSON claims challenge or extra claims.");
+        AddAcquireTokenOption(op, "CorrelationId", JsonSchemaType.String, "GUID correlation id for token acquisition.");
+        AddAcquireTokenOption(op, "LongRunningWebApiSessionKey", JsonSchemaType.String, "Session key for long running OBO flows.");
+        AddAcquireTokenOption(op, "FmiPath", JsonSchemaType.String, "Federated Managed Identity path (if using FMI).");
+        AddAcquireTokenOption(op, "PopPublicKey", JsonSchemaType.String, "Public key or JWK for PoP / AT-POP requests.");
 
         // Managed Identity (if enabled)
-        AddAcquireTokenOption(op, "ManagedIdentity.UserAssignedClientId", "Managed Identity client id (user-assigned).");
+        AddAcquireTokenOption(op, "ManagedIdentity.UserAssignedClientId", JsonSchemaType.String, "Managed Identity client id (user-assigned).");
     }
 
-    private static void AddSimple(OpenApiOperation op, string name, string type, string desc)
+    private static void AddSimple(OpenApiOperation op, string name, JsonSchemaType type, string desc)
     {
+        op.Parameters ??= [];
         op.Parameters.Add(new OpenApiParameter
         {
             Name = name,
@@ -64,13 +67,14 @@ private static void AddSimple(OpenApiOperation op, string name, string type, str
         });
     }
 
-    private static void AddAcquireTokenOption(OpenApiOperation op, string name, string description, string type = "string")
+    private static void AddAcquireTokenOption(OpenApiOperation op, string name, JsonSchemaType type, string desc)
     {
+        op.Parameters ??= [];
         op.Parameters.Add(new OpenApiParameter
         {
             Name = $"optionsOverride.AcquireTokenOptions.{name}",
             In = ParameterLocation.Query,
-            Description = description,
+            Description = desc,
             Required = false,
             Schema = new OpenApiSchema { Type = type }
         });

@@ -2,7 +2,7 @@
 // Licensed under the MIT License.
 
 using Microsoft.AspNetCore.OpenApi;
-using Microsoft.OpenApi.Models;
+using Microsoft.OpenApi;
 
 namespace Microsoft.Identity.Web.Sidecar
 {

@@ -14,9 +14,13 @@ public class Program
 {
 
     // Adding these the time to merge Andy's PR. Then will do the work to remove reflexion usage
+#pragma warning disable IL2123 // RequiresUnreferencedCodeAttribute cannot be placed on entry point
+#pragma warning disable IL3057 // RequiresDynamicCodeAttribute cannot be placed on entry point
     [RequiresUnreferencedCode("EnableTokenAcquisitionToCallDownstreamApis uses reflection")]
     [RequiresDynamicCode("EnableTokenAcquisitionToCallDownstreamApis uses reflection")]
     public static void Main(string[] args)
+#pragma warning restore IL3057
+#pragma warning restore IL2123
     {
         var builder = WebApplication.CreateSlimBuilder(args);
 

@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
-    <TargetFrameworks>net9.0</TargetFrameworks>
+    <TargetFrameworks>net10.0</TargetFrameworks>
     <IsPackable>false</IsPackable>
     <RootNamespace>Sidecar.Tests</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>
@@ -13,7 +13,7 @@
     <DefineConstants>$(DefineConstants);FROM_GITHUB_ACTION</DefineConstants>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="9.0.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.0" />
     <PackageReference Include="coverlet.collector" Version="$(CoverletCollectorVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNETTestSdkVersion)" />
     <PackageReference Include="Moq" Version="$(MoqVersion)" />