Add unit tests with HTTP mocking for vanilla dSTS + fix Authority par…#3805
Merged
Conversation
Adds 7 HTTP-mocked unit tests for the vanilla dSTS (Dedicated Security Token Service) token-acquisition path in Microsoft.Identity.Web.
Per PR review feedback, dSTS users MUST configure 'Instance' (e.g. "https://{host}/dstsv2") and 'TenantId' separately. The single-string 'Authority' option is reserved for vanilla OIDC / CIAM scenarios and routes through MSAL.WithOidcAuthority(), which is incompatible with dSTS; configuring a dSTS-style URL there now throws an InvalidOperationException with a clear, actionable error message instead of letting MSAL surface its opaque "DSTS authority URI should have at least 2 segments..." error later.
Tests cover (canonical Instance + TenantId shape):
1. Token endpoint URI lock (POST to https://{host}/dstsv2/{tenant}/oauth2/v2.0/token)
2. Client_credentials grant body (grant_type, scope, client_id, client_secret)
3. Second-call cache hit (only one mock handler registered)
4. OAuth2 token-endpoint error -> MsalServiceException mapping
5. SendX5C=true -> client_assertion JWT header includes x5c
6. SendX5C=false -> x5c omitted
Plus 1 negative test:
7. Configuring dSTS URL via 'Authority' option -> InvalidOperationException with clear guidance to use Instance + TenantId
All tests use the existing MockHttpClientFactory infrastructure (no real network / Key Vault / cert) and run in any CI environment.
Implementation change in MergedOptions.ParseAuthorityIfNecessary: detects dSTS-shaped Authority (path segment "dstsv2") and throws an InvalidOperationException with a message that points users to the canonical Instance+TenantId shape. No public API changes.
XiaoxinMS2
force-pushed
the
zhanli1/dsts-unit-tests-with-http-mocking
branch
from
eedbd53 to
c625531
Compare
cpp11nullptr
reviewed
May 7, 2026
cpp11nullptr
approved these changes
May 7, 2026
…ithub.com/AzureAD/microsoft-identity-web into zhanli1/dsts-unit-tests-with-http-mocking
cpp11nullptr
approved these changes
May 11, 2026
bgavrilMS
approved these changes
May 11, 2026
Agent-Logs-Url: https://github.com/AzureAD/microsoft-identity-web/sessions/a57b074c-3d46-4620-904a-0bfda5451eae Co-authored-by: XiaoxinMS2 <223701223+XiaoxinMS2@users.noreply.github.com>
Contributor
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Contributor
Author
|
@microsoft-github-policy-service agree company="Microsoft" |
cpp11nullptr
approved these changes
May 21, 2026
This was referenced May 25, 2026
Merged
deps(nuget): Bump the microsoft-packages group with 1 update
Ellerbach/azure-ai-search-simulator#146
Merged
This was referenced May 26, 2026
Closed
github-actions Bot
pushed a commit
to EelcoLos/nx-tinkering
that referenced
this pull request
May 26, 2026
Updated [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web) from 4.9.0 to 4.10.0. <details> <summary>Release notes</summary> _Sourced from [Microsoft.Identity.Web's releases](https://github.com/AzureAD/microsoft-identity-web/releases)._ ## 4.10.0 ### New features - Add `WithExtraBodyParameters` fluent API for attaching extra body parameters to token acquisition requests. See [#3819](AzureAD/microsoft-identity-web#3819). - Add `IConfidentialClientApplicationProvider` extensibility interface and `CachePartitionKey` support for silent token acquisition. See [#3822](AzureAD/microsoft-identity-web#3822). ### Bug fixes - Redirect URI sanitization in authorization scenarios; centralize redirect URI validation in a shared helper. See [#3825](AzureAD/microsoft-identity-web#3825). - Reject dSTS-shaped `Authority` values with a clearer exception, steering users to use `Instance` + `TenantId` instead. See [#3805](AzureAD/microsoft-identity-web#3805). - Improve regex handling and adding length/timeout safeguards for SameSite User Agent. See [#3811](AzureAD/microsoft-identity-web#3811). ### Behavior changes - **B2C OpenID Connect event handler: LRU cache for issuer address.** Issuer address lookups in the B2C OIDC event handler are now cached with an LRU cache, improving performance for repeated lookups. See [#3821](AzureAD/microsoft-identity-web#3821). ### Dependencies updates - Update MSAL.NET to 4.84.1. See [#3822](AzureAD/microsoft-identity-web#3822). - Pin `Microsoft.Kiota.Abstractions` to 1.22.0 for GraphServiceClient. See [#3817](AzureAD/microsoft-identity-web#3817). - Bump `uuid` and `@azure/msal-node` in SidecarAdapter TypeScript test app. See [#3826](AzureAD/microsoft-identity-web#3826). - Bump `qs` in SidecarAdapter TypeScript test app. See [#3829](AzureAD/microsoft-identity-web#3829). Commits viewable in [compare view](AzureAD/microsoft-identity-web@4.9.0...4.10.0). </details> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eelco Los <5102501+EelcoLos@users.noreply.github.com>
This was referenced May 26, 2026
Open
Merged
Closed
Open
Closed
Open
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…sing
Adds 6 HTTP-mocked unit tests for the vanilla dSTS (Dedicated Security Token Service) token-acquisition path in Microsoft.Identity.Web, and fixes MergedOptions.ParseAuthorityIfNecessary so that the natural / documented dSTS configuration form works end-to-end:
Without the fix, the AAD-style parser took the literal "dstsv2" as the tenant and dropped the actual tenant GUID, producing an authority MSAL rejected with "The DSTS authority URI should have at least 2 segments...".
Tests cover: token endpoint URI; client_credentials grant body; second-call cache hit; OAuth2 error -> MsalServiceException mapping; SendX5C=true includes x5c JWT header; SendX5C=false omits it. All tests use the existing MockHttpClientFactory infrastructure (no real network / Key Vault / cert) and run in any CI environment.
No public API changes.
Add unit tests with HTTP mocking for vanilla dSTS scenarios + fix
Authority-only configurationSummary of the changes (Less than 80 chars)
Description
Adds 6 HTTP-mocked unit tests covering the vanilla dSTS (Dedicated Security Token Service) token-acquisition path in Microsoft.Identity.Web, and fixes a parser bug in
MergedOptions.ParseAuthorityIfNecessarythat prevented the natural / documented dSTS configuration form (options.Authority = "https://{host}/dstsv2/{tenantGuid}") from working.Both changes ship together because the new tests use the natural configuration form, which is the form the parser fix unblocks.
Vanilla dSTS support in Id.Web previously had zero unit-test coverage — the only assertion lived in integration tests that required a real dSTS deployment + Key Vault certificate, so they couldn't run in CI. Anyone refactoring
MergedOptions/TokenAcquirerFactorycould silently break dSTS token acquisition without any signal.Fixes #{bug number} (in this specific format)