Is it possible to set a discovery URI for token acquisition in Microsoft.Identity.Web?

Question

I have a .NET5 app that is utilizing Microsoft.Identity.Web for a secure API. When attempting to retrieve the access token:

var accessToken = await _tokenAcquisition.GetAccessTokenForAppAsync(scopesToAccessDownstreamApi);

The first thing that happens is it makes a request to the discovery endpoint:

https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=.......%2Fauthorize

I have a static authority specified in my config which I thought it should be using instead. For my Blazor app it works just fine. MS.Identity.Web first gets my key information at my authority:

https://myCustomAuthority/myTenantId/oauth2/v2.0/.well-known/openid-configuration

With the tokenAcquisition however, it always calls login.microsoft.com, fails, and then finally redirects to my endpoint.

Digging through both the MS.Identity.Web and MS.Identity.Client code they definitely had this in mind.

/// Allows developers to configure their own valid authorities. A json string similar to https://aka.ms/aad-instance-discovery should be provided.

See here: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/ac7541c1aa1c7bdbb20df5c7e72628161f826f44/src/client/Microsoft.Identity.Client/AppConfig/AbstractApplicationBuilder.cs#L51

        public InstanceDiscoveryResponse CustomInstanceDiscoveryMetadata { get; set; }
    public Uri CustomInstanceDiscoveryMetadataUri { get; set; }

And here: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/ac7541c1aa1c7bdbb20df5c7e72628161f826f44/src/client/Microsoft.Identity.Client/AppConfig/ApplicationConfiguration.cs#L95

But I'm unable to find it on the API side. And when I look at TokenAquisition it's calling ConfidentialClientApplicationBuilder.CreateWithApplicationOptions

                var builder = ConfidentialClientApplicationBuilder
                    .CreateWithApplicationOptions(_applicationOptions)
                    .WithHttpClientFactory(_httpClientFactory);

https://github.com/AzureAD/microsoft-identity-web/blob/b106d9a9250522d0bf9ed0e78e0e3dbd376d8170/src/Microsoft.Identity.Web/TokenAcquisition.cs#L583

Which then creates a new ConfidentialClientApplicationBuilder with an empty ApplicationConfiguration object so the CustomInstanceDiscovery is always null

            var config = new ApplicationConfiguration();
        var builder = new ConfidentialClientApplicationBuilder(config).WithOptions(options);

https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/ac7541c1aa1c7bdbb20df5c7e72628161f826f44/src/client/Microsoft.Identity.Client/AppConfig/ConfidentialClientApplicationBuilder.cs#L42

All the hooks seem to be there so I feel like I'm missing some configuration but it also could be a feature / bug request.

Answer 1

This was an actual defect that the Microsoft.Identity.Web team has fixed. I asked the same question to the team: https://github.com/AzureAD/microsoft-identity-web/discussions/1202

And they created an issue: https://github.com/AzureAD/microsoft-identity-web/issues/1212

So this was fixed with build 1.13.