use variable and only windows

source/Calamari.AzureWebApp/Integration/Websites/Publishing/ResourceManagerPublishProfileProvider.cs

@@ -42,6 +42,7 @@ public async Task<WebDeployPublishSettings> GetPublishProperties(IAzureAccount a
                                                                                account.ResourceManagementEndpointBaseUri,
                                                                                account.ActiveDirectoryEndpointBaseUri,
                                                                                account.AzureEnvironment,
+                                                                               (account as AzureOidcAccount).InstanceDiscoveryUri,
                                                                                CancellationToken.None)
                 : await AzureServicePrincipalAccountExtensions.GetAuthorizationToken(account.TenantId,
                                                                                      account.ClientId,

source/Calamari.CloudAccounts/AccountVariables.cs

@@ -12,5 +12,6 @@ public static class AccountVariables
         public static readonly string Jwt = "Octopus.OpenIdConnect.Jwt";
         public static readonly string ResourceManagementEndPoint = "Octopus.Action.Azure.ResourceManagementEndPoint";
         public static readonly string ActiveDirectoryEndPoint = "Octopus.Action.Azure.ActiveDirectoryEndPoint";
+        public static readonly string InstanceDiscoveryUri = "Octopus.OpenIdConnect.InstanceDiscoveryUri";
     }
 }

source/Calamari.CloudAccounts/AzureOidcAccount.cs

@@ -43,6 +43,7 @@ public AzureOidcAccount(IVariables variables)
             AzureEnvironment = variables.Get(AccountVariables.Environment);
             ResourceManagementEndpointBaseUri = variables.Get(AccountVariables.ResourceManagementEndPoint, DefaultVariables.ResourceManagementEndpoint);
             ActiveDirectoryEndpointBaseUri = variables.Get(AccountVariables.ActiveDirectoryEndPoint, DefaultVariables.OidcAuthContextUri);
+            InstanceDiscoveryUri = variables.Get(AccountVariables.InstanceDiscoveryUri);
         }
 
         public AccountType AccountType => AccountType.AzureOidc;
@@ -54,6 +55,7 @@ public AzureOidcAccount(IVariables variables)
         public string AzureEnvironment { get; }
         public string ResourceManagementEndpointBaseUri { get; }
         public string ActiveDirectoryEndpointBaseUri { get; }
+        public string InstanceDiscoveryUri { get; }
 
         internal static string GetDefaultScope(string environmentName)
         {

source/Calamari.CloudAccounts/AzureOidcAccountExtensions.cs

@@ -16,21 +16,28 @@ public static async Task<ServiceClientCredentials> Credentials(this AzureOidcAcc
 
         public static Task<string> GetAuthorizationToken(this AzureOidcAccount account, CancellationToken cancellationToken)
         {
-            return GetAuthorizationToken(account.TenantId, account.ClientId, account.GetCredentials,
-                                                   account.ResourceManagementEndpointBaseUri, account.ActiveDirectoryEndpointBaseUri, account.AzureEnvironment, cancellationToken);
+            return GetAuthorizationToken(
+                                         account.TenantId,
+                                         account.ClientId,
+                                         account.GetCredentials,
+                                         account.ResourceManagementEndpointBaseUri,
+                                         account.ActiveDirectoryEndpointBaseUri,
+                                         account.AzureEnvironment,
+                                         account.InstanceDiscoveryUri,
+                                         cancellationToken);
         }
 
-        public static async Task<string> GetAuthorizationToken(string tenantId, string applicationId, string token, string managementEndPoint, string activeDirectoryEndPoint, string aureEnvironment, CancellationToken cancellationToken)
+        public static async Task<string> GetAuthorizationToken(string tenantId, string applicationId, string token, string managementEndPoint, string activeDirectoryEndPoint, string aureEnvironment, string instanceDiscoveryUri, CancellationToken cancellationToken)
         {
             var authContext = GetOidcContextUri(activeDirectoryEndPoint, tenantId);
             Log.Verbose($"Authentication Context: {authContext}");
 
             var builder = ConfidentialClientApplicationBuilder.Create(applicationId)
                                                               .WithClientAssertion(token);
-
-            if (activeDirectoryEndPoint.Contains("localhost"))
+            
+            if (!string.IsNullOrEmpty(instanceDiscoveryUri))
             {
-                builder = builder.WithInstanceDiscoveryMetadata(new Uri($"{activeDirectoryEndPoint}/discovery"))
+                builder = builder.WithInstanceDiscoveryMetadata(new Uri(instanceDiscoveryUri))
                                  .WithAuthority(authContext, false);
             }
             else

source/Calamari.Tests/Oidc/TokenExchangeTest.cs

@@ -4,6 +4,8 @@
 using System.Threading;
 using System.Threading.Tasks;
 using Calamari.CloudAccounts;
+using Calamari.Common.Plumbing.Variables;
+using Calamari.Testing.Helpers;
 using FluentAssertions;
 using NUnit.Framework;
 using WireMock.RequestBuilders;
@@ -13,8 +15,11 @@
 namespace Calamari.Tests.Oidc
 {
     [TestFixture]
+    [Category(TestCategory.CompatibleOS.OnlyWindows)]
     public class TokenExchangeTest
     {
+        const string TestAccessToken = "access-token-123";
+
         [Test]
         public async Task ShouldGetAccessToken()
         {
@@ -36,7 +41,7 @@ public async Task ShouldGetAccessToken()
                                            {
                                                token_type = "Bearer",
                                                expires_in = 3599,
-                                               access_token = "access-123"
+                                               access_token = TestAccessToken
                                            })
                                   );
 
@@ -62,18 +67,23 @@ public async Task ShouldGetAccessToken()
                                                }
                                            }));
 
-                var account = new AzureOidcAccount(
-                                                   "1111-111111111111-11111111",
-                                                   "client-xxx",
-                                                   "tenant-xxx",
-                                                   "this shouldn't be needed",
-                                                   "fake-env",
-                                                   "https://management-url/.default",
-                                                   server.Url);
+                var variables = new CalamariVariables
+                {
+                    {AccountVariables.SubscriptionId, new Guid().ToString()},
+                    {AccountVariables.ClientId, "client-xxx"},
+                    {AccountVariables.TenantId, "tenant-xxx"},
+                    {AccountVariables.Jwt, "not needed"},
+                    {AccountVariables.Environment, "fake env"},
+                    {AccountVariables.ResourceManagementEndPoint, "https://management-url/.default"},
+                    {AccountVariables.ActiveDirectoryEndPoint, server.Url},
+                    {AccountVariables.InstanceDiscoveryUri, $"{server.Url}/discovery"},
+                };
+
+                var account = new AzureOidcAccount(variables);
 
                 var token = await account.GetAuthorizationToken(CancellationToken.None);
 
-                token.Should().Be("access-123");
+                token.Should().Be(TestAccessToken);
             }
         }
     }