Jmprieur/fix authority parsing (#3620)

* Fix Authority-only configuration: Parse to Instance/TenantId for AAD, CIAM, and B2C (#3614)

* Initial plan

* Implement authority-only configuration support for AAD, CIAM, and B2C

- Move ParseAuthorityIfNecessary to start of UpdateConfidentialClientApplicationOptionsFromMergedOptions
- Add defensive fallback parse in PrepareAuthorityInstanceForMsal
- Add TODO comment for future warning logging (issue #3611)
- Create new unit test file MergedOptionsAuthorityParsingTests.cs with 7 tests
- Modify E2E test to use Authority-only configuration
- Add new B2C authority-only E2E test
All unit tests pass successfully

Co-authored-by: jmprieur <[email protected]>

* Address code review feedback

- Add explicit using statement for Microsoft.Identity.Web in test file
- Improve defensive fallback to also check TenantId to avoid redundant parsing
All tests still pass

Co-authored-by: jmprieur <[email protected]>

* Restore original test and create new Authority-only test

- Restore AcquireToken_WithMicrosoftIdentityApplicationOptions_ClientCredentialsAsync with Instance/TenantId
- Create new AcquireToken_WithMicrosoftIdentityApplicationOptions_Authority_ClientCredentialsAsync for Authority-only scenario
Both tests now exist to demonstrate both recommended (Instance/TenantId) and Authority-only approaches

Co-authored-by: jmprieur <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: jmprieur <[email protected]>

* Add high-performance warning logging for Authority + Instance/TenantId conflicts (#3615)

* Initial plan

* Add authority conflict warning logging infrastructure

Co-authored-by: jmprieur <[email protected]>

* Add comprehensive unit tests for authority conflict warnings

Co-authored-by: jmprieur <[email protected]>

* Wire up logger factory to MergedOptionsStore for runtime logging

Co-authored-by: jmprieur <[email protected]>

* Fix MergedOptionsStore constructor signature for DI compatibility

Co-authored-by: jmprieur <[email protected]>

* Rename MsalLogger alias to IdWebLogger for clarity

Co-authored-by: jmprieur <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: jmprieur <[email protected]>
Co-authored-by: Jean-Marc Prieur <[email protected]>

* Add comprehensive test matrix for authority parsing logic (#3610) (#3616)

* Initial plan

* Add comprehensive authority parsing test matrix - all unit tests created and passing

Co-authored-by: jmprieur <[email protected]>

* Implement full E2E authority matrix tests following existing patterns

Co-authored-by: jmprieur <[email protected]>

* Remove duplicate test files and consolidate unique edge case tests

Co-authored-by: jmprieur <[email protected]>

* Remove performance smoke tests as they are not on the hot path

Co-authored-by: jmprieur <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: jmprieur <[email protected]>

* Update version to 4.1.1 (#3619)

* Initial plan

* Update version to 4.1.1 and add changelog entry

Co-authored-by: jmprieur <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: jmprieur <[email protected]>

* Update src/Microsoft.Identity.Web.TokenAcquisition/MergedOptions.cs

Co-authored-by: Copilot <[email protected]>

* Update changelog.md

Co-authored-by: Copilot <[email protected]>

* [WIP] Update authority parsing fix for ILoggerFactory usage (#3621)

* Initial plan

* Update MergedOptionsStore to use IServiceProvider instead of ILoggerFactory

Co-authored-by: jmprieur <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: jmprieur <[email protected]>

* Adding more resilience to configuration (common on App token, and no domain for b2c)

---------

Co-authored-by: Copilot <[email protected]>
Co-authored-by: jmprieur <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: 3 people

Directory.Build.props

@@ -4,7 +4,7 @@
     <!-- This needs to be greater than or equal to the validation baseline version. The conditional logic around TargetNetNext is there
     to avoid NU5104 for packing a release version library with prerelease deps. By adding preview to it, that warning is avoided.
     -->
-  <MicrosoftIdentityWebVersion Condition="'$(MicrosoftIdentityWebVersion)' == ''">4.1.0</MicrosoftIdentityWebVersion>
+  <MicrosoftIdentityWebVersion Condition="'$(MicrosoftIdentityWebVersion)' == ''">4.1.1</MicrosoftIdentityWebVersion>
     <!--This will generate AssemblyVersion, AssemblyFileVersion and AssemblyInformationVersion-->
     <Version>$(MicrosoftIdentityWebVersion)</Version>
 

changelog.md

@@ -1,3 +1,12 @@
+## 4.1.1
+
+### Added
+- Authority-only configuration parsing improvements (Issue #3612): Early parsing of Authority into Instance/TenantId and defensive fallback in PrepareAuthorityInstanceForMsal. Behavior is backward compatible; Authority is still ignored when Instance/TenantId explicitly provided—now surfaced via a warning.
+- Warning diagnostics for conflicting Authority vs Instance/TenantId (Issue #3611): Emits a single structured warning when both styles are provided.
+
+### Fundamentals
+- Expanded authority test matrix (Issue #3610): Coverage for AAD (v1/v2), B2C (/tfp/ normalization, policy path), CIAM (PreserveAuthority), query parameters, scheme-less forms, and conflict scenarios.
+
 4.1.0
 =========
 ### New features

src/Microsoft.Identity.Web.TokenAcquisition/LoggingEventId.cs

@@ -29,6 +29,9 @@ internal static class LoggingEventId
         public static readonly EventId CredentialLoadAttemptFailed = new EventId(406, "CredentialLoadAttemptFailed");
         public static readonly EventId UsingSignedAssertionFromCustomProvider = new EventId(407, "UsingSignedAssertionFromCustomProvider");
 
+        // MergedOptions EventIds 408+
+        public static readonly EventId AuthorityConflict = new EventId(408, "AuthorityConflict");
+
 #pragma warning restore IDE1006 // Naming Styles
     }
 }

src/Microsoft.Identity.Web.TokenAcquisition/MergedOptions.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using IdWebLogger = Microsoft.Extensions.Logging;
 using Microsoft.Identity.Abstractions;
 
 #if !NETSTANDARD2_0 && !NET462 && !NET472
@@ -22,6 +23,11 @@ internal sealed class MergedOptions : MicrosoftIdentityOptions
     {
         private ConfidentialClientApplicationOptions? _confidentialClientApplicationOptions;
 
+        /// <summary>
+        /// Logger instance for diagnostics.
+        /// </summary>
+        internal IdWebLogger.ILogger? Logger { get; set; }
+
         public ConfidentialClientApplicationOptions ConfidentialClientApplicationOptions
         {
             get
@@ -386,6 +392,8 @@ internal static void UpdateMergedOptionsFromConfidentialClientApplicationOptions
 
         internal static void UpdateConfidentialClientApplicationOptionsFromMergedOptions(MergedOptions mergedOptions, ConfidentialClientApplicationOptions confidentialClientApplicationOptions)
         {
+            ParseAuthorityIfNecessary(mergedOptions, mergedOptions.Logger);
+
             confidentialClientApplicationOptions.AadAuthorityAudience = mergedOptions.AadAuthorityAudience;
             confidentialClientApplicationOptions.AzureCloudInstance = mergedOptions.AzureCloudInstance;
             if (string.IsNullOrEmpty(confidentialClientApplicationOptions.AzureRegion) && !string.IsNullOrEmpty(mergedOptions.AzureRegion))
@@ -416,8 +424,6 @@ internal static void UpdateConfidentialClientApplicationOptionsFromMergedOptions
 
             confidentialClientApplicationOptions.EnablePiiLogging = mergedOptions.EnablePiiLogging;
 
-            ParseAuthorityIfNecessary(mergedOptions);
-
             if (string.IsNullOrEmpty(confidentialClientApplicationOptions.Instance) && !string.IsNullOrEmpty(mergedOptions.Instance))
             {
                 confidentialClientApplicationOptions.Instance = mergedOptions.Instance;
@@ -438,8 +444,25 @@ internal static void UpdateConfidentialClientApplicationOptionsFromMergedOptions
             }
         }
 
-        internal static void ParseAuthorityIfNecessary(MergedOptions mergedOptions)
+        internal static void ParseAuthorityIfNecessary(MergedOptions mergedOptions, IdWebLogger.ILogger? logger = null)
         {
+            // Check if Authority is configured but being ignored due to Instance/TenantId taking precedence
+            if (!string.IsNullOrEmpty(mergedOptions.Authority) && 
+                (!string.IsNullOrEmpty(mergedOptions.Instance) || !string.IsNullOrEmpty(mergedOptions.TenantId)))
+            {
+                // Log warning that Authority is being ignored
+                if (logger != null)
+                {
+                    MergedOptionsLogging.AuthorityIgnored(
+                        logger,
+                        mergedOptions.Authority!,
+                        mergedOptions.Instance ?? string.Empty,
+                        mergedOptions.TenantId ?? string.Empty);
+                }
+                // Authority is ignored; Instance and TenantId take precedence
+                return;
+            }
+
             if (string.IsNullOrEmpty(mergedOptions.TenantId) && string.IsNullOrEmpty(mergedOptions.Instance) && !string.IsNullOrEmpty(mergedOptions.Authority))
             {
                 ReadOnlySpan<char> doubleSlash = "//".AsSpan();
@@ -473,6 +496,11 @@ internal static void UpdateMergedOptionsFromJwtBearerOptions(JwtBearerOptions jw
 
         public void PrepareAuthorityInstanceForMsal()
         {
+            if (string.IsNullOrEmpty(Instance) && string.IsNullOrEmpty(TenantId) && !string.IsNullOrEmpty(Authority))
+            {
+                ParseAuthorityIfNecessary(this, this.Logger);
+            }
+
             if (string.IsNullOrEmpty(Instance))
             {
                 return;

src/Microsoft.Identity.Web.TokenAcquisition/MergedOptionsLogging.cs

@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using Microsoft.Extensions.Logging;
+
+namespace Microsoft.Identity.Web
+{
+    /// <summary>
+    /// High-performance logging for MergedOptions operations.
+    /// </summary>
+    internal static partial class MergedOptionsLogging
+    {
+        private static readonly Action<ILogger, string, string, string, Exception?> s_authorityIgnored =
+            LoggerMessage.Define<string, string, string>(
+                LogLevel.Warning,
+                LoggingEventId.AuthorityConflict,
+                "[MsIdWeb] Authority '{Authority}' is being ignored because Instance '{Instance}' and/or TenantId '{TenantId}' are already configured. To use Authority, remove Instance and TenantId from the configuration.");
+
+        /// <summary>
+        /// Logs a warning when Authority is configured alongside Instance and/or TenantId.
+        /// </summary>
+        /// <param name="logger">The logger instance.</param>
+        /// <param name="authority">The Authority value that is being ignored.</param>
+        /// <param name="instance">The Instance value that takes precedence.</param>
+        /// <param name="tenantId">The TenantId value that takes precedence.</param>
+        public static void AuthorityIgnored(
+            ILogger logger,
+            string authority,
+            string instance,
+            string tenantId)
+        {
+            s_authorityIgnored(logger, authority, instance, tenantId, null);
+        }
+    }
+}

src/Microsoft.Identity.Web.TokenAcquisition/MergedOptionsStore.cs

@@ -1,22 +1,35 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System;
 using System.Collections.Concurrent;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.Identity.Web
 {
     internal class MergedOptionsStore : IMergedOptionsStore
     {
         private readonly ConcurrentDictionary<string, MergedOptions> _options;
+        private readonly ILoggerFactory? _loggerFactory;
 
-        public MergedOptionsStore()
+        public MergedOptionsStore(IServiceProvider serviceProvider)
         {
             _options = new ConcurrentDictionary<string, MergedOptions>();
+            _loggerFactory = serviceProvider?.GetService<ILoggerFactory>();
         }
 
         public MergedOptions Get(string name)
         {
-            return _options.GetOrAdd(name, key => new MergedOptions());
+            return _options.GetOrAdd(name, key => 
+            {
+                var mergedOptions = new MergedOptions();
+                if (_loggerFactory != null)
+                {
+                    mergedOptions.Logger = _loggerFactory.CreateLogger<MergedOptions>();
+                }
+                return mergedOptions;
+            });
         }
     }
 }

src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net10.0/InternalAPI.Unshipped.txt

@@ -1,4 +1,11 @@
 #nullable enable
 const Microsoft.Identity.Web.Constants.UserIdKey = "IDWEB_USER_ID" -> string!
 readonly Microsoft.Identity.Web.TokenAcquisition._certificatesObservers -> System.Collections.Generic.IReadOnlyList<Microsoft.Identity.Web.Experimental.ICertificatesObserver!>!
+Microsoft.Identity.Web.MergedOptions.Logger.get -> Microsoft.Extensions.Logging.ILogger?
+Microsoft.Identity.Web.MergedOptions.Logger.set -> void
+Microsoft.Identity.Web.MergedOptionsLogging
+Microsoft.Identity.Web.MergedOptionsStore.MergedOptionsStore(System.IServiceProvider! serviceProvider) -> void
+static Microsoft.Identity.Web.MergedOptions.ParseAuthorityIfNecessary(Microsoft.Identity.Web.MergedOptions! mergedOptions, Microsoft.Extensions.Logging.ILogger? logger = null) -> void
+static Microsoft.Identity.Web.MergedOptionsLogging.AuthorityIgnored(Microsoft.Extensions.Logging.ILogger! logger, string! authority, string! instance, string! tenantId) -> void
 static Microsoft.Identity.Web.TokenAcquisition.MergeExtraQueryParameters(Microsoft.Identity.Web.MergedOptions! mergedOptions, Microsoft.Identity.Web.TokenAcquisitionOptions? tokenAcquisitionOptions) -> System.Collections.Generic.Dictionary<string!, (string! value, bool includeInCacheKey)>?
+static readonly Microsoft.Identity.Web.LoggingEventId.AuthorityConflict -> Microsoft.Extensions.Logging.EventId

src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net462/InternalAPI.Unshipped.txt

@@ -1,2 +1,9 @@
 #nullable enable
+Microsoft.Identity.Web.MergedOptions.Logger.get -> Microsoft.Extensions.Logging.ILogger?
+Microsoft.Identity.Web.MergedOptions.Logger.set -> void
+Microsoft.Identity.Web.MergedOptionsLogging
+Microsoft.Identity.Web.MergedOptionsStore.MergedOptionsStore(System.IServiceProvider! serviceProvider) -> void
+static Microsoft.Identity.Web.MergedOptions.ParseAuthorityIfNecessary(Microsoft.Identity.Web.MergedOptions! mergedOptions, Microsoft.Extensions.Logging.ILogger? logger = null) -> void
+static Microsoft.Identity.Web.MergedOptionsLogging.AuthorityIgnored(Microsoft.Extensions.Logging.ILogger! logger, string! authority, string! instance, string! tenantId) -> void
 static Microsoft.Identity.Web.TokenAcquisition.MergeExtraQueryParameters(Microsoft.Identity.Web.MergedOptions! mergedOptions, Microsoft.Identity.Web.TokenAcquisitionOptions? tokenAcquisitionOptions) -> System.Collections.Generic.Dictionary<string!, (string! value, bool includeInCacheKey)>?
+static readonly Microsoft.Identity.Web.LoggingEventId.AuthorityConflict -> Microsoft.Extensions.Logging.EventId

src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net472/InternalAPI.Unshipped.txt

@@ -1,2 +1,9 @@
 #nullable enable
+Microsoft.Identity.Web.MergedOptions.Logger.get -> Microsoft.Extensions.Logging.ILogger?
+Microsoft.Identity.Web.MergedOptions.Logger.set -> void
+Microsoft.Identity.Web.MergedOptionsLogging
+Microsoft.Identity.Web.MergedOptionsStore.MergedOptionsStore(System.IServiceProvider! serviceProvider) -> void
+static Microsoft.Identity.Web.MergedOptions.ParseAuthorityIfNecessary(Microsoft.Identity.Web.MergedOptions! mergedOptions, Microsoft.Extensions.Logging.ILogger? logger = null) -> void
+static Microsoft.Identity.Web.MergedOptionsLogging.AuthorityIgnored(Microsoft.Extensions.Logging.ILogger! logger, string! authority, string! instance, string! tenantId) -> void
 static Microsoft.Identity.Web.TokenAcquisition.MergeExtraQueryParameters(Microsoft.Identity.Web.MergedOptions! mergedOptions, Microsoft.Identity.Web.TokenAcquisitionOptions? tokenAcquisitionOptions) -> System.Collections.Generic.Dictionary<string!, (string! value, bool includeInCacheKey)>?
+static readonly Microsoft.Identity.Web.LoggingEventId.AuthorityConflict -> Microsoft.Extensions.Logging.EventId

src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net8.0/InternalAPI.Unshipped.txt

@@ -1,2 +1,9 @@
 #nullable enable
+Microsoft.Identity.Web.MergedOptions.Logger.get -> Microsoft.Extensions.Logging.ILogger?
+Microsoft.Identity.Web.MergedOptions.Logger.set -> void
+Microsoft.Identity.Web.MergedOptionsLogging
+Microsoft.Identity.Web.MergedOptionsStore.MergedOptionsStore(System.IServiceProvider! serviceProvider) -> void
+static Microsoft.Identity.Web.MergedOptions.ParseAuthorityIfNecessary(Microsoft.Identity.Web.MergedOptions! mergedOptions, Microsoft.Extensions.Logging.ILogger? logger = null) -> void
+static Microsoft.Identity.Web.MergedOptionsLogging.AuthorityIgnored(Microsoft.Extensions.Logging.ILogger! logger, string! authority, string! instance, string! tenantId) -> void
 static Microsoft.Identity.Web.TokenAcquisition.MergeExtraQueryParameters(Microsoft.Identity.Web.MergedOptions! mergedOptions, Microsoft.Identity.Web.TokenAcquisitionOptions? tokenAcquisitionOptions) -> System.Collections.Generic.Dictionary<string!, (string! value, bool includeInCacheKey)>?
+static readonly Microsoft.Identity.Web.LoggingEventId.AuthorityConflict -> Microsoft.Extensions.Logging.EventId