Issue Generating token after registering hosted service

[medbalighhamdi]

Microsoft.Identity.Web Library

Microsoft.Identity.Web.DownstreamApi

Microsoft.Identity.Web version

2.18.1

Web app

Sign-in users

Web API

Protected web APIs (validating tokens)

Token cache serialization

In-memory caches

Description

Observed Issue

I am getting the following error, only when adding a hosted service on applcation startup:

Cannot use WithTenantId(tenantId) in the application builder, because the authority Generic doesn't support it.

I precise that the error is not reproduced when I remove my hosted service that I register with classic aspnet core AddHostedService<> method.

Reproduction steps

1. I add a hosted service that calls to an external service using CallApiForAppAsync method.

• I use the following authentication configuration:

 .AddMicrosoftIdentityWebApiAuthentication(
           configuration,
           DownstreamApiTokens.AzureAdToken.ConfigValue)
 .EnableTokenAcquisitionToCallDownstreamApi()
 .AddMicrosoftGraph(graphApiSection)
 .AddDownstreamApi(downstreamService1Name,
       downstreamService1Configuration)
 .AddDownstreamApi(downstreamService2Name,
       downstreamService2Configuration)
 .AddInMemoryTokenCaches()

• After this config, I register my hosted service using the following line:

services.AddHostedService<ReplicasInitalizationHostedService>();

Please note that the hosted service calls the downstream service 1 declared in the above authentication configuration.

Azure Ad Configuration on appsettings.json level:

"AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
  "TenantId": "XXXXXX-XXX-XXXX-XXXX-XXXXXXX",
  "ClientId": "XXXXX-XXXX-XXXX-XXX-XXXXXXXXX",
  "Scopes": "openid email profile app.read offline_access access_as_user",
  "ClientSecret": "XXXXX"
}

Service config section:

 "DownstreamService2": {
   "BaseUrl": "https://serice2url/api/v1",
   "RequestAppToken": true,
   "Scopes": [ "api://XXXX-XX-XX-X-XXXXX/.default" ]
 },
"DownstreamService1": {
  "BaseUrl": "https://service1url/api/v1/data",
  "RequestAppToken": true,
  "Scopes": [ "api://XXXX-XX-XXXX-XX-XXXX/.default" ]
},

Please note that I am not using a cross organization instance in my Azure Ad configuration.

2. I run my API, this calls the hosted service which executes successfully. For calling the external service, I use IDownstreamApi interface like the following:

 var httpResult = await DownstreamApi.CallApiForAppAsync(
    ServiceName,
    !string.IsNullOrEmpty(computedRelativeUri) ?
        options =>
        {
            options.RelativePath = $"{computedRelativeUri}";
        }
: null,
    null,
    cancellationToken).ConfigureAwait(false);

httpResult.EnsureSuccessStatusCode();

var proxyResult = await httpResult.Content.ReadFromJsonAsync<T>
   (JsonSerializationStrategies.PermessiveJsonTextStrategy, cancellationToken);
return (proxyResult, httpResult.StatusCode);

The hosted service executes successfully without erros.

3. When I try to downstreamService 2, I have the following error:

Cannot use WithTenantId(tenantId) in the application builder, because the authority Generic doesn't support it.

I am using the same code for calling downstream service 2 as for service 1.

Error message

Cannot use WithTenantId(tenantId) in the application builder, because the authority Generic doesn't support it.

Please notre that I only get this error message when I run the hosted service.

Id Web logs

An error occurred: Cannot use WithTenantId(tenantId) in the application builder, because the authority Generic doesn't support it.
MSAL.NetCore.4.60.3.0.MsalClientException:
ErrorCode: tenant_override_non_aad
Microsoft.Identity.Client.MsalClientException: Cannot use WithTenantId(tenantId) in the application builder, because the authority Generic doesn't support it.
at Microsoft.Identity.Client.BaseAbstractApplicationBuilder1.ResolveAuthority() at Microsoft.Identity.Client.AbstractApplicationBuilder1.BuildConfiguration()
at Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.BuildConcrete()
at Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.Build()
at Microsoft.Identity.Web.TokenAcquisition.BuildConfidentialClientApplicationAsync(MergedOptions mergedOptions)
at Microsoft.Identity.Web.TokenAcquisition.GetOrBuildConfidentialClientApplicationAsync(MergedOptions mergedOptions)
at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForAppAsync(String scope, String authenticationScheme, String tenant, TokenAcquisitionOptions tokenAcquisitionOptions)
at Microsoft.Identity.Web.DefaultAuthorizationHeaderProvider.CreateAuthorizationHeaderForAppAsync(String scopes, AuthorizationHeaderProviderOptions downstreamApiOptions, CancellationToken cancellationToken)
at Microsoft.Identity.Web.DownstreamApi.UpdateRequestAsync(HttpRequestMessage httpRequestMessage, HttpContent content, DownstreamApiOptions effectiveOptions, Boolean appToken, ClaimsPrincipal user, CancellationToken cancellationToken)
at Microsoft.Identity.Web.DownstreamApi.CallApiInternalAsync(String serviceName, DownstreamApiOptions effectiveOptions, Boolean appToken, HttpContent content, ClaimsPrincipal user, CancellationToken cancellationToken)
at....

Relevant code snippets

var httpResult = await DownstreamApi.CallApiForAppAsync(
    ServiceName,
    !string.IsNullOrEmpty(computedRelativeUri) ?
        options =>
        {
            options.RelativePath = $"{computedRelativeUri}";
        }
: null,
    null,
    cancellationToken).ConfigureAwait(false);

httpResult.EnsureSuccessStatusCode();

var proxyResult = await httpResult.Content.ReadFromJsonAsync<T>
   (JsonSerializationStrategies.PermessiveJsonTextStrategy, cancellationToken);
return (proxyResult, httpResult.StatusCode);

Regression

No response

Expected behavior

I expect the token to be acquired succesfully for the configured downstream service 2