User FIC E2E tests fail because instance in options is null

[pmaytak]

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

4.1.0

Web app

Sign-in users and call web APIs

Web API

Protected web APIs (validating tokens)

Token cache serialization

Not Applicable

Description

UserFicCrossTenantE2ETestsAsync fails with the error:
System.ArgumentException : The authority (including the tenant ID) must be in a well-formed URI format. (Parameter 'authority')

at Microsoft.Identity.Client.AuthorityInfo.ValidateAndCreateAuthorityUri(String authority, Nullable`1 authorityType)
at Microsoft.Identity.Client.AuthorityInfo.FromAuthorityUri(String authorityUri, Boolean validateAuthority)
at Microsoft.Identity.Client.Instance.Authority.CreateAuthority(String authority, Boolean validateAuthority)
at Microsoft.Identity.Client.AbstractApplicationBuilder`1.WithAuthority(String authorityUri, Boolean validateAuthority)
at Microsoft.Identity.Web.TokenAcquisition.BuildConfidentialClientApplicationAsync(MergedOptions mergedOptions)
at Microsoft.Identity.Web.TokenAcquisition.GetOrBuildConfidentialClientApplicationAsync(MergedOptions mergedOptions)
at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForUserAsync(IEnumerable`1 scopes, String authenticationScheme, String tenantId, String userFlow, ClaimsPrincipal user, TokenAcquisitionOptions tokenAcquisitionOptions)
at Microsoft.Identity.Web.TokenAcquirer.Microsoft.Identity.Abstractions.ITokenAcquirer.GetTokenForUserAsync(IEnumerable`1 scopes, AcquireTokenOptions tokenAcquisitionOptions, ClaimsPrincipal user, CancellationToken cancellationToken)

Reproduction steps

Run UserFicCrossTenantE2ETestsAsync test in MISE.
The issue happens in TokenAcquisition when we create the authority to pass to MSAL here. The mergedOptions.PreparedInstance is null.

microsoft-identity-web/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs

Line 984 in 233f2e0

authority = $"{mergedOptions.PreparedInstance}{mergedOptions.TenantId}/";

Setting breakpoints in MergedOptions shows that Id Web 4.0.0 (working) and 4.1.0 (non-working) have different call stacks.

The test specifies options.Authority, which makes the test fail. When the test is updated to specify options.Instance and options.TenantId, the test succeeds.

This test in Id Web can help repo. Specify only Authority and it will fail; specify instance and tenant - it will work.

microsoft-identity-web/tests/E2E Tests/TokenAcquirerTests/TokenAcquirer.cs

Line 229 in 233f2e0

public async Task AcquireToken_WithMicrosoftIdentityApplicationOptions_ClientCredentialsAsync()

This test which specifies authority only, works, probably because it provides it directly to the token acquirer.

microsoft-identity-web/tests/E2E Tests/TokenAcquirerTests/TokenAcquirer.cs

Line 287 in 233f2e0

public async Task AcquireToken_WithFactoryAndAuthorityClientIdCert_ClientCredentialsAsync()

Error message

No response

Id Web logs

No response

Relevant code snippets

-

Regression

not a regression

Expected behavior

• The test/behavior should succeed even when only Authority is specified.