I have a .NET5 app that is utilizing Microsoft.Identity.Web for a secure API. When attempting to retrieve the access token:
var accessToken = await _tokenAcquisition.GetAccessTokenForAppAsync(scopesToAccessDownstreamApi);
The first thing that happens is it makes a request to the discovery endpoint:
https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=.......%2Fauthorize
I have a static authority specified in my config which I thought it should be using instead. For my Blazor app it works just fine. MS.Identity.Web first gets my key information at my authority:
https://myCustomAuthority/myTenantId/oauth2/v2.0/.well-known/openid-configuration
With the tokenAcquisition however, it always calls login.microsoft.com, fails, and then finally redirects to my endpoint.
Digging through both the MS.Identity.Web and MS.Identity.Client code they definitely had this in mind.
/// Allows developers to configure their own valid authorities. A json string similar to https://aka.ms/aad-instance-discovery should be provided.
public InstanceDiscoveryResponse CustomInstanceDiscoveryMetadata { get; set; }
public Uri CustomInstanceDiscoveryMetadataUri { get; set; }
But I'm unable to find it on the API side. And when I look at TokenAquisition it's calling ConfidentialClientApplicationBuilder.CreateWithApplicationOptions
var builder = ConfidentialClientApplicationBuilder
.CreateWithApplicationOptions(_applicationOptions)
.WithHttpClientFactory(_httpClientFactory);
Which then creates a new ConfidentialClientApplicationBuilder with an empty ApplicationConfiguration object so the CustomInstanceDiscovery is always null
var config = new ApplicationConfiguration();
var builder = new ConfidentialClientApplicationBuilder(config).WithOptions(options);
All the hooks seem to be there so I feel like I'm missing some configuration but it also could be a feature / bug request.
This was an actual defect that the Microsoft.Identity.Web team has fixed. I asked the same question to the team: https://github.com/AzureAD/microsoft-identity-web/discussions/1202
And they created an issue: https://github.com/AzureAD/microsoft-identity-web/issues/1212
So this was fixed with build 1.13.