ForAgentIdentity hardcodes 'AzureAd' ConfigurationSection, ignores AuthenticationOptionsName #3634
Description
Problem
In AgentIdentitiesExtension. ForAgentIdentity, the ConfigurationSection used by OidcIdpSignedAssertionProvider is hardcoded to "AzureAd", ignoring the developer's AcquireTokenOptions.AuthenticationOptionsName setting.
This means developers using a custom configuration section name (e.g., "MyEntraId", "EntraId", or any named options) cannot use agent identities correctly—the credential provider will always look for configuration in the "AzureAd" section.
Current Code
// In AgentIdentitiesExtension.ForAgentIdentity
options.ExtraParameters[Constants.MicrosoftIdentityOptionsParameter] = new MicrosoftEntraApplicationOptions
{
ClientId = agentApplicationId,
ClientCredentials = [ new CredentialDescription() {
SourceType = CredentialSource. CustomSignedAssertion,
CustomSignedAssertionProviderName = "OidcIdpSignedAssertion",
CustomSignedAssertionProviderData = new Dictionary<string, object> {
{ "ConfigurationSection", "AzureAd" }, // ❌ HARDCODED
{ "RequiresSignedAssertionFmiPath", true },
}
}]
};Expected Behavior
The ConfigurationSection should respect options.AuthenticationOptionsName if set:
string configurationSection = options.AuthenticationOptionsName ?? "AzureAd";
options.ExtraParameters[Constants.MicrosoftIdentityOptionsParameter] = new MicrosoftEntraApplicationOptions
{
ClientId = agentApplicationId,
ClientCredentials = [ new CredentialDescription() {
SourceType = CredentialSource. CustomSignedAssertion,
CustomSignedAssertionProviderName = "OidcIdpSignedAssertion",
CustomSignedAssertionProviderData = new Dictionary<string, object> {
{ "ConfigurationSection", configurationSection }, // ✅ Use developer's choice
{ "RequiresSignedAssertionFmiPath", true },
}
}]
};Flow Diagram
flowchart TD
A["Developer sets AcquireTokenOptions.AuthenticationOptionsName = 'MyEntraId'"] --> B["Calls WithAgentIdentity(agentAppId)"]
B --> C["ForAgentIdentity sets ConfigurationSection = 'AzureAd'"]
C --> D["OidcIdpSignedAssertionProvider loads 'AzureAd' config"]
D --> E["❌ Wrong credentials loaded"]
A2["Expected Flow"] --> B2["ForAgentIdentity uses AuthenticationOptionsName ?? 'AzureAd'"]
B2 --> C2["OidcIdpSignedAssertionProvider loads correct config"]
C2 --> D2["✅ Correct credentials loaded"]
Inconsistency
Notably, AgentUserIdentityMsalAddIn. OnBeforeUserFicForAgentUserIdentityAsync does respect AuthenticationOptionsName:
string authenticationScheme = authenticationSchemeInformationProvider.GetEffectiveAuthenticationScheme(options.AuthenticationOptionsName);
ITokenAcquirer agentApplicationTokenAcquirer = tokenAcquirerFactory.GetTokenAcquirer(authenticationScheme);But the OidcIdpSignedAssertionProvider credential configuration ignores it.
Table: AuthenticationOptionsName usage across agent identity flows
| Location | Uses AuthenticationOptionsName? |
|---|---|
AgentUserIdentityMsalAddIn → GetEffectiveAuthenticationScheme |
✅ Yes |
AgentUserIdentityMsalAddIn → optionsMonitor.Get(authenticationScheme) |
✅ Yes |
ForAgentIdentity → ConfigurationSection |
❌ Hardcoded "AzureAd" |
WithAgentUserIdentity → MicrosoftEntraApplicationOptions |
❌ No ConfigurationSection set |
Impact
- Developers using named options / custom configuration sections cannot use
WithAgentIdentityorWithAgentUserIdentitycorrectly - The OidcIdpSignedAssertionProvider will fail to find credentials or use wrong credentials
- No workaround exists
Solution
Update ForAgentIdentity to use options.AuthenticationOptionsName ?? "AzureAd" for the ConfigurationSection.
Related
- Tenant not propagated in OidcIdpSignedAssertionProvider credential FIC acquisition #3632 (Tenant not propagated in OidcIdpSignedAssertionProvider)
Confidence
High (95%+): The hardcoded value is clearly visible in the source and the fix is isolated to a single point.
Co-author: Bridge (with @jmprieur review)