Fix GetTokenAcquirer to propagate MicrosoftEntraApplicationOptions properties (#3651)

Copilot · pmaytak · web-flow · commit 4cbb58a95835 · 2025-12-12T21:15:03.000-08:00
* Initial plan

* Fix GetTokenAcquirer to propagate MicrosoftEntraApplicationOptions properties

Co-authored-by: pmaytak &lt;34331512+pmaytak@users.noreply.github.com&gt;

* Rename variables to camelCase and copy Authority property from MicrosoftEntraApplicationOptions

Co-authored-by: pmaytak &lt;34331512+pmaytak@users.noreply.github.com&gt;

---------

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: pmaytak &lt;34331512+pmaytak@users.noreply.github.com&gt;
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/DefaultTokenAcquirerFactoryImplementation.cs b/src/Microsoft.Identity.Web.TokenAcquisition/DefaultTokenAcquirerFactoryImplementation.cs
@@ -59,10 +59,10 @@ public ITokenAcquirer GetTokenAcquirer(IdentityApplicationOptions IdentityApplic
             _ = Throws.IfNull(IdentityApplicationOptions);
 
             // Compute the Azure region if the option is a MicrosoftIdentityApplicationOptions.
-            MicrosoftIdentityApplicationOptions? MicrosoftIdentityApplicationOptions = IdentityApplicationOptions as MicrosoftIdentityApplicationOptions;
-            if (MicrosoftIdentityApplicationOptions == null)
+            MicrosoftIdentityApplicationOptions? microsoftIdentityApplicationOptions = IdentityApplicationOptions as MicrosoftIdentityApplicationOptions;
+            if (microsoftIdentityApplicationOptions == null)
             {
-                MicrosoftIdentityApplicationOptions = new MicrosoftIdentityApplicationOptions
+                microsoftIdentityApplicationOptions = new MicrosoftIdentityApplicationOptions
                 {
                     AllowWebApiToBeAuthorizedByACL = IdentityApplicationOptions.AllowWebApiToBeAuthorizedByACL,
                     Audience = IdentityApplicationOptions.Audience,
@@ -73,17 +73,32 @@ public ITokenAcquirer GetTokenAcquirer(IdentityApplicationOptions IdentityApplic
                     TokenDecryptionCredentials = IdentityApplicationOptions.TokenDecryptionCredentials,
                     EnablePiiLogging = IdentityApplicationOptions.EnablePiiLogging,
                 };
+
+                // If the IdentityApplicationOptions is of type MicrosoftEntraApplicationOptions,
+                // copy over those options too.
+                MicrosoftEntraApplicationOptions? microsoftEntraApplicationOptions = IdentityApplicationOptions as MicrosoftEntraApplicationOptions;
+                if (microsoftEntraApplicationOptions != null)
+                {
+                    microsoftIdentityApplicationOptions.Authority = microsoftEntraApplicationOptions.Authority;
+                    microsoftIdentityApplicationOptions.Name = microsoftEntraApplicationOptions.Name;
+                    microsoftIdentityApplicationOptions.Instance = microsoftEntraApplicationOptions.Instance;
+                    microsoftIdentityApplicationOptions.TenantId = microsoftEntraApplicationOptions.TenantId;
+                    microsoftIdentityApplicationOptions.AppHomeTenantId = microsoftEntraApplicationOptions.AppHomeTenantId;
+                    microsoftIdentityApplicationOptions.AzureRegion = microsoftEntraApplicationOptions.AzureRegion;
+                    microsoftIdentityApplicationOptions.ClientCapabilities = microsoftEntraApplicationOptions.ClientCapabilities;
+                    microsoftIdentityApplicationOptions.SendX5C = microsoftEntraApplicationOptions.SendX5C;
+                }
             }
 
-            string key = GetKey(IdentityApplicationOptions.Authority, IdentityApplicationOptions.ClientId, MicrosoftIdentityApplicationOptions.AzureRegion);
+            string key = GetKey(IdentityApplicationOptions.Authority, IdentityApplicationOptions.ClientId, microsoftIdentityApplicationOptions.AzureRegion);
 
             return _authSchemes.GetOrAdd(key, (key) =>
             {
                 IMergedOptionsStore optionsMonitor = ServiceProvider!.GetRequiredService<IMergedOptionsStore>();
                 MergedOptions mergedOptions = optionsMonitor.Get(key);
 
        
-                MergedOptions.UpdateMergedOptionsFromMicrosoftIdentityApplicationOptions(MicrosoftIdentityApplicationOptions, mergedOptions);
+                MergedOptions.UpdateMergedOptionsFromMicrosoftIdentityApplicationOptions(microsoftIdentityApplicationOptions, mergedOptions);
                 return MakeTokenAcquirer(key);
             });
         }
diff --git a/tests/Microsoft.Identity.Web.Test/DefaultTokenAcquirerFactoryImplementationTests.cs b/tests/Microsoft.Identity.Web.Test/DefaultTokenAcquirerFactoryImplementationTests.cs
@@ -0,0 +1,165 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Identity.Abstractions;
+using Microsoft.Identity.Web.Test.Common;
+using Xunit;
+
+namespace Microsoft.Identity.Web.Test
+{
+    [Collection(nameof(TokenAcquirerFactorySingletonProtection))]
+    public class DefaultTokenAcquirerFactoryImplementationTests
+    {
+        [Fact]
+        public void GetTokenAcquirer_WithMicrosoftEntraApplicationOptions_PropagatesAllOptions()
+        {
+            // Arrange
+            var taf = new CustomTAF();
+            var provider = taf.Build();
+            var factory = provider.GetRequiredService<ITokenAcquirerFactory>();
+
+            var options = new MicrosoftEntraApplicationOptions
+            {
+                // IdentityApplicationOptions properties
+                ClientId = "test-client-id",
+                Authority = "https://login.microsoftonline.com/test-tenant",
+                EnablePiiLogging = true,
+                AllowWebApiToBeAuthorizedByACL = true,
+                Audience = "test-audience",
+                ClientCredentials = new List<CredentialDescription>
+                {
+                    new CredentialDescription { ClientSecret = "test-secret", SourceType = CredentialSource.ClientSecret }
+                },
+
+                // MicrosoftEntraApplicationOptions properties
+                Name = "test-name",
+                Instance = "https://login.microsoftonline.com/",
+                TenantId = "test-tenant-id",
+                AppHomeTenantId = "test-home-tenant-id",
+                AzureRegion = "westus",
+                ClientCapabilities = new List<string> { "cp1" },
+                SendX5C = true
+            };
+
+            // Act
+            var tokenAcquirer = factory.GetTokenAcquirer(options);
+
+            // Assert
+            Assert.NotNull(tokenAcquirer);
+            
+            // Verify the options were properly stored in the merged options
+            var mergedOptionsStore = provider.GetRequiredService<IMergedOptionsStore>();
+            var key = DefaultTokenAcquirerFactoryImplementation.GetKey(options.Authority, options.ClientId, options.AzureRegion);
+            var mergedOptions = mergedOptionsStore.Get(key);
+
+            Assert.Equal(options.ClientId, mergedOptions.ClientId);
+            Assert.Equal(options.EnablePiiLogging, mergedOptions.EnablePiiLogging);
+            Assert.Equal(options.AllowWebApiToBeAuthorizedByACL, mergedOptions.AllowWebApiToBeAuthorizedByACL);
+            Assert.Equal(options.Instance, mergedOptions.Instance);
+            Assert.Equal(options.TenantId, mergedOptions.TenantId);
+            Assert.Equal(options.AppHomeTenantId, mergedOptions.AppHomeTenantId);
+            Assert.Equal(options.AzureRegion, mergedOptions.AzureRegion);
+            Assert.Equal(options.ClientCapabilities, mergedOptions.ClientCapabilities);
+            Assert.Equal(options.SendX5C, mergedOptions.SendX5C);
+        }
+
+        [Fact]
+        public void GetTokenAcquirer_WithIdentityApplicationOptions_PropagatesBaseOptions()
+        {
+            // Arrange
+            var taf = new CustomTAF();
+            var provider = taf.Build();
+            var factory = provider.GetRequiredService<ITokenAcquirerFactory>();
+
+            var options = new IdentityApplicationOptions
+            {
+                ClientId = "test-client-id",
+                Authority = "https://login.microsoftonline.com/test-tenant",
+                EnablePiiLogging = true,
+                AllowWebApiToBeAuthorizedByACL = true,
+                Audience = "test-audience",
+                ClientCredentials = new List<CredentialDescription>
+                {
+                    new CredentialDescription { ClientSecret = "test-secret", SourceType = CredentialSource.ClientSecret }
+                }
+            };
+
+            // Act
+            var tokenAcquirer = factory.GetTokenAcquirer(options);
+
+            // Assert
+            Assert.NotNull(tokenAcquirer);
+            
+            // Verify the options were properly stored in the merged options
+            var mergedOptionsStore = provider.GetRequiredService<IMergedOptionsStore>();
+            var key = DefaultTokenAcquirerFactoryImplementation.GetKey(options.Authority, options.ClientId, null);
+            var mergedOptions = mergedOptionsStore.Get(key);
+
+            Assert.Equal(options.ClientId, mergedOptions.ClientId);
+            Assert.Equal(options.EnablePiiLogging, mergedOptions.EnablePiiLogging);
+            Assert.Equal(options.AllowWebApiToBeAuthorizedByACL, mergedOptions.AllowWebApiToBeAuthorizedByACL);
+        }
+
+        [Fact]
+        public void GetTokenAcquirer_WithMicrosoftIdentityApplicationOptions_UsesAsIs()
+        {
+            // Arrange
+            var taf = new CustomTAF();
+            var provider = taf.Build();
+            var factory = provider.GetRequiredService<ITokenAcquirerFactory>();
+
+            var options = new MicrosoftIdentityApplicationOptions
+            {
+                ClientId = "test-client-id",
+                Authority = "https://login.microsoftonline.com/test-tenant",
+                EnablePiiLogging = true,
+                AllowWebApiToBeAuthorizedByACL = true,
+                Instance = "https://login.microsoftonline.com/",
+                TenantId = "test-tenant-id",
+                AzureRegion = "westus",
+                SendX5C = true,
+                Domain = "test-domain.com",
+                SignUpSignInPolicyId = "B2C_1_signupsignin"
+            };
+
+            // Act
+            var tokenAcquirer = factory.GetTokenAcquirer(options);
+
+            // Assert
+            Assert.NotNull(tokenAcquirer);
+            
+            // Verify the options were properly stored in the merged options
+            var mergedOptionsStore = provider.GetRequiredService<IMergedOptionsStore>();
+            var key = DefaultTokenAcquirerFactoryImplementation.GetKey(options.Authority, options.ClientId, options.AzureRegion);
+            var mergedOptions = mergedOptionsStore.Get(key);
+
+            Assert.Equal(options.ClientId, mergedOptions.ClientId);
+            Assert.Equal(options.EnablePiiLogging, mergedOptions.EnablePiiLogging);
+            Assert.Equal(options.Instance, mergedOptions.Instance);
+            Assert.Equal(options.TenantId, mergedOptions.TenantId);
+            Assert.Equal(options.AzureRegion, mergedOptions.AzureRegion);
+            Assert.Equal(options.SendX5C, mergedOptions.SendX5C);
+            Assert.Equal(options.Domain, mergedOptions.Domain);
+            Assert.Equal(options.SignUpSignInPolicyId, mergedOptions.SignUpSignInPolicyId);
+        }
+
+        private class CustomTAF : TokenAcquirerFactory
+        {
+            public CustomTAF()
+            {
+                this.Services.AddTokenAcquisition();
+                this.Services.AddHttpClient();
+                this.Services.AddSingleton<ITokenAcquirerFactory, DefaultTokenAcquirerFactoryImplementation>();
+            }
+
+            protected override string DefineConfiguration(IConfigurationBuilder builder)
+            {
+                return AppContext.BaseDirectory;
+            }
+        }
+    }
+}
