AzureAD/microsoft-identity-web

GraphAuthenticationProvider should merge request option with default options

scrocquesel-ml150 opened this issue · 0 comments

scrocquesel-ml150 commented

Microsoft.Identity.Web Library

Microsoft.Identity.Web.Graph

Microsoft.Identity.Web version

3.0.1

Web app

Not Applicable

Web API

Not Applicable

Token cache serialization

Not Applicable

Description

When configuring the client globally, overriding some configuration at the request level, override the whole configuration.

GraphAuthenticationProvider replace the gobally configured GraphAuthenticationOptions with the one from the request information

microsoft-identity-web/src/Microsoft.Identity.Web.GraphServiceClient/GraphAuthenticationProvider.cs

Line 63 in ea9b037

graphServiceClientOptions = authenticationOptions ?? _defaultAuthenticationOptions;

In my case, I want to be able to configure the AcquireTokenOptions to set a ManagedIdentity and being able to set RequestAppToken to true with .GetAsync(o => o.Options.WithAppOnly());

Reproduction steps

services.AddMicrosoftGraph(hostBuilderContext.Configuration.GetSection("Graph"));

var r = await graphServiceClient.Users.GetAsync(o => o.Options.WithAppOnly());

Configure with
"GRAPH__AcquireTokenOptions__ManagedIdentity__UserAssignedClientId": "GUID-of-the-user-assigned-managed-identity"

Error message

System.Private.CoreLib: Exception while executing function: Functions.Test. System.Private.CoreLib: Result: Failure
[2024-08-13T14:14:44.645Z] Exception: MSAL.NetCore.4.61.3.0.MsalClientException:
[2024-08-13T14:14:44.645Z]      ErrorCode: Client_Credentials_Required_In_Confidential_Client_Application
[2024-08-13T14:14:44.645Z] Microsoft.Identity.Client.MsalClientException: One client credential type required either: ClientSecret, Certificate, ClientAssertion or AppTokenProvider must be defined when creating a Confidential Client. Only specify one. See https://aka.ms/msal-net-client-credentials. 
[2024-08-13T14:14:44.645Z]    at Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder`1.Validate()
[2024-08-13T14:14:44.645Z]    at Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder.Validate()
[2024-08-13T14:14:44.645Z]    at Microsoft.Identity.Client.BaseAbstractAcquireTokenParameterBuilder`1.ValidateAndCalculateApiId()
[2024-08-13T14:14:44.646Z]    at Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder`1.ExecuteAsync(CancellationToken cancellationToken)
[2024-08-13T14:14:44.646Z]    at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForAppAsync(String scope, String authenticationScheme, String tenant, TokenAcquisitionOptions tokenAcquisitionOptions)

Id Web logs

No response

Relevant code snippets

see repro steps

Regression

No response

Expected behavior

GetAuthenticationResultForAppAsync should use the globally configured managed identity