Possible bug in `AddMicrosoftIdentityWebAppInternal`

[dbeattie71]

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

2.15.3

Web app

Sign-in users

Web API

Not Applicable

Token cache serialization

Not Applicable

Description

I'm not sure if this is a bug or not. This behavior may be intended and I'm not configuring it properly.

In my case, I'm using AddMicrosoftIdentityWebApp to add a 2nd scheme. I'm also using Configure<MicrosoftIdentityOptions> to configure ExtraQueryParameters so the appId is appended to the MetadataAddress . Apparently that is required for an app registration that has custom signging keys as a result of using claims mapping feature. The 2nd scheme works if I set it up with AddOpenIdConnect but it doesn't if I use AddMicrosoftIdentityWebApp.

In debugging, I found that in AddMicrosoftIdentityWebAppInternal the appId is appeneded to ExtraQueryParameters and options.MetadataAddress is set. Should mergedOptions.MetadataAddress be getting set here instead? :

if (mergedOptions.Authority != null)
                    {
                        mergedOptions.Authority = AuthorityHelpers.BuildCiamAuthorityIfNeeded(mergedOptions.Authority);
                        if (mergedOptions.ExtraQueryParameters != null)
                        {
                            options.MetadataAddress = mergedOptions.Authority + "/.well-known/openid-configuration?" + string.Join("&", mergedOptions.ExtraQueryParameters.Select(p => $"{p.Key}={p.Value}"));
                        }
                    }

                    PopulateOpenIdOptionsFromMergedOptions(options, mergedOptions);

PopulateOpenIdOptionsFromMergedOptions is called immediatley after and options.MetadataAddress is set again, wiping out its previous setting:
options.MetadataAddress = mergedOptions.MetadataAddress;

Reproduction steps

Create a asp.net core web api and add the relevant code snippets.

Error message

No response

Id Web logs

No response

Relevant code snippets

builder.Services.Configure<MicrosoftIdentityOptions>("MyScheme", options =>
    {
        options.Authority = "https://login.microsoftonline.com/some-tenant-id/v2.0";
        options.ExtraQueryParameters = new Dictionary<string, string>
        {
            {"appId", "some-client-id"}
        };
    });
    
    builder.Services.AddAuthentication()
        .AddMicrosoftIdentityWebApp(
            configurationSection: builder.Configuration.GetSection("MyScheme"),
            openIdConnectScheme: "MyScheme"
        );

### Regression

_No response_

### Expected behavior

I would expect by setting the `Authority` and `ExtraQueryParameters` in `MicrosoftIdentityOptions` for a named scheme, the `MetadataAddress` would have the appId or any other extra query parameters appended to the end.

[jmprieur]

Thanks for your analysis, @dbeattie71
This seems like a bug indeed.

@jennyf19 : let's priortize it (migh require a bit of design for the best solution, so only setting state = approved, not ready)

[jmprieur]

What @dbeattie71 proposes is reasonable. Let's set the options.MetadataAddress.
Also check what happens in AddMicrosoftWebApi.