[Feature Request] Make issuer validation in OIDC authority optional

[lilinus]

MSAL client type

Confidential

Problem statement

Since the change #5358 I am unable to connect to a provider where the issuer property in the .well-known/openid-configuration file doesn't comply with the specification.

It would be handy if the new validation was opt-out, so we could still use the provider with MSAL for .NET.

Proposed solution

Add a flag to opt-out of the issuer validation, perhaps like:

namespace Microsoft.Identity.;
public class ConfidentialClientApplicationBuilder
{
    public Microsoft.Identity.Client.ConfidentialClientApplicationBuilder WithOidcAuthority(string authorityUri, bool validateIssuer);
}

Alternatives

In my case, I use client credentials. So an alternative for me would be to just write code that fetches, caches and refreshes the token myself.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• [Feature Request] Add support for CIAM custom authority #4387

Powered by issue-sentinel

[bgavrilMS]

Hi @lilinus - can you help us understand how the authority string looks like and how the issuer looks like? Are you using Entra or smth else?

[lilinus]

It's an external provider so don't I know if it is Entra or not (assume not).

I understand the issue is in the providers discovery document, but would be nice to use MSAL functionality instead of building from scratch.

I'm trying to esablish service-to-service communcation and this is the code I'm using to obtain a token:

var app = ConfidentialClientApplicationBuilder.Create("clientid")
    .WithOidcAuthority("https://some-random-external-provider.com:12345/")
    .WithClientSecret("foobar")
    .Build();
var token = await app.AcquireTokenForClient(["scope"]).ExecuteAsync();
var header = token.CreateAuthorizationHeader();

The discovery document https://some-random-external-provider.com:12345/.well-known/openid-configuration looks like:

{
  "issuer": "https://localhost:12345/",
  "token_endpoint": "https://some-random-external-provider.com:12345/token",
  ...
}

The exception I'm getting (calling ExecuteAsync) is:

Microsoft.Identity.Client.MsalServiceException: 'Issuer validation failed for authority: https://some-random-external-provider.com:12345/ . Issuer from OIDC endpoint does not match any expected pattern: https://localhost:12345/ . '

[bgavrilMS]

For testing purposes, I would recommend you hijack the HTTP communication via WithHttpClient and inject an OIDC response with the correct value. MSAL doesn't use issuer.

[lilinus]

Just for clarity; this is for production, not testing. I just simplified the example.

Perhaps MSLA doesn't use issuer, but it validates it and throws us, hence preventing usage of ConfidentialClientApplicationBuilder in this case.

We will use workaround and fetch a token and cache it with custom code instead.