Skip to content

Fix ForAgentIdentity hardcoded 'AzureAd' ConfigurationSection to respect AuthenticationOptionsName #3635

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Fix ForAgentIdentity hardcoded 'AzureAd' ConfigurationSection to respect AuthenticationOptionsName #3635

wants to merge 3 commits into from
+149 −3

Conversation

Copy link
Contributor

Copilot AI commented Nov 30, 2025
edited
Loading

Fix ForAgentIdentity hardcoded 'AzureAd' ConfigurationSection to respect AuthenticationOptionsName

  • You've read the Contributor Guide and Code of Conduct.
  • You've included unit or integration tests for your change, where applicable.
  • You've included inline docs for your change, where applicable.
  • There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.

Use AuthenticationOptionsName for ConfigurationSection in ForAgentIdentity instead of hardcoded "AzureAd"

Description

ForAgentIdentity hardcoded "AzureAd" as the ConfigurationSection for OidcIdpSignedAssertionProvider, ignoring AcquireTokenOptions.AuthenticationOptionsName. Developers using custom config sections (e.g., "MyEntraId") couldn't use agent identities correctly.

Changes:

  • Extract options.AuthenticationOptionsName ?? "AzureAd" and use it for ConfigurationSection
  • Added 7 unit tests covering default/custom config section scenarios

Before:

CustomSignedAssertionProviderData = new Dictionary<string, object> {
    { "ConfigurationSection", "AzureAd" },  // ❌ Always "AzureAd"
}

After:

string configurationSection = options.AuthenticationOptionsName ?? "AzureAd";
CustomSignedAssertionProviderData = new Dictionary<string, object> {
    { "ConfigurationSection", configurationSection },  // ✅ Respects developer setting
}

Fixes #3633

Original prompt

This section details on the original issue you should resolve

<issue_title>ForAgentIdentity hardcodes 'AzureAd' ConfigurationSection, ignores AuthenticationOptionsName</issue_title>
<issue_description>## Problem

In AgentIdentitiesExtension. ForAgentIdentity, the ConfigurationSection used by OidcIdpSignedAssertionProvider is hardcoded to "AzureAd", ignoring the developer's AcquireTokenOptions.AuthenticationOptionsName setting.

This means developers using a custom configuration section name (e.g., "MyEntraId", "EntraId", or any named options) cannot use agent identities correctly—the credential provider will always look for configuration in the "AzureAd" section.

Current Code

// In AgentIdentitiesExtension.ForAgentIdentity
options.ExtraParameters[Constants.MicrosoftIdentityOptionsParameter] = new MicrosoftEntraApplicationOptions
{
    ClientId = agentApplicationId,
    ClientCredentials = [ new CredentialDescription() {
        SourceType = CredentialSource. CustomSignedAssertion,
        CustomSignedAssertionProviderName = "OidcIdpSignedAssertion",
        CustomSignedAssertionProviderData = new Dictionary<string, object> {
            { "ConfigurationSection", "AzureAd" },      // ❌ HARDCODED
            { "RequiresSignedAssertionFmiPath", true },
        }
    }]
};

Expected Behavior

The ConfigurationSection should respect options.AuthenticationOptionsName if set:

string configurationSection = options.AuthenticationOptionsName ?? "AzureAd";

options.ExtraParameters[Constants.MicrosoftIdentityOptionsParameter] = new MicrosoftEntraApplicationOptions
{
    ClientId = agentApplicationId,
    ClientCredentials = [ new CredentialDescription() {
        SourceType = CredentialSource. CustomSignedAssertion,
        CustomSignedAssertionProviderName = "OidcIdpSignedAssertion",
        CustomSignedAssertionProviderData = new Dictionary<string, object> {
            { "ConfigurationSection", configurationSection },  // ✅ Use developer's choice
            { "RequiresSignedAssertionFmiPath", true },
        }
    }]
};

Flow Diagram

flowchart TD
    A["Developer sets AcquireTokenOptions.AuthenticationOptionsName = 'MyEntraId'"] --> B["Calls WithAgentIdentity(agentAppId)"]
    B --> C["ForAgentIdentity sets ConfigurationSection = 'AzureAd'"]
    C --> D["OidcIdpSignedAssertionProvider loads 'AzureAd' config"]
    D --> E["❌ Wrong credentials loaded"]
    
    A2["Expected Flow"] --> B2["ForAgentIdentity uses AuthenticationOptionsName ??  'AzureAd'"]
    B2 --> C2["OidcIdpSignedAssertionProvider loads correct config"]
    C2 --> D2["✅ Correct credentials loaded"]
Loading

Inconsistency

Notably, AgentUserIdentityMsalAddIn. OnBeforeUserFicForAgentUserIdentityAsync does respect AuthenticationOptionsName:

string authenticationScheme = authenticationSchemeInformationProvider.GetEffectiveAuthenticationScheme(options.AuthenticationOptionsName);
ITokenAcquirer agentApplicationTokenAcquirer = tokenAcquirerFactory.GetTokenAcquirer(authenticationScheme);

But the OidcIdpSignedAssertionProvider credential configuration ignores it.

Table: AuthenticationOptionsName usage across agent identity flows

Location Uses AuthenticationOptionsName?
AgentUserIdentityMsalAddInGetEffectiveAuthenticationScheme ✅ Yes
AgentUserIdentityMsalAddInoptionsMonitor.Get(authenticationScheme) ✅ Yes
ForAgentIdentityConfigurationSection Hardcoded "AzureAd"
WithAgentUserIdentityMicrosoftEntraApplicationOptions ❌ No ConfigurationSection set

Impact

  • Developers using named options / custom configuration sections cannot use WithAgentIdentity or WithAgentUserIdentity correctly
  • The OidcIdpSignedAssertionProvider will fail to find credentials or use wrong credentials
  • No workaround exists

Solution

Update ForAgentIdentity to use options.AuthenticationOptionsName ?? "AzureAd" for the ConfigurationSection.

Related

Confidence

High (95%+): The hardcoded value is clearly visible in the source and the fix is isolated to a single point.

Co-author: Bridge (with @jmprieur review)
</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI changed the title [WIP] Fix hardcoded AzureAd configuration section in ForAgentIdentity Fix ForAgentIdentity hardcoded 'AzureAd' ConfigurationSection to respect AuthenticationOptionsName Nov 30, 2025
Copilot finished work on behalf of jmprieur November 30, 2025 02:25
Copilot AI requested a review from jmprieur November 30, 2025 02:25
@jmprieur jmprieur marked this pull request as ready for review November 30, 2025 15:26
@jmprieur jmprieur requested a review from a team as a code owner November 30, 2025 15:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bgavrilMS bgavrilMS bgavrilMS approved these changes

@jmprieur jmprieur Awaiting requested review from jmprieur

At least 2 approving reviews are required to merge this pull request.

Assignees

@jmprieur jmprieur

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ForAgentIdentity hardcodes 'AzureAd' ConfigurationSection, ignores AuthenticationOptionsName

3 participants

@bgavrilMS @jmprieur