Fix for #5809

Author: bgavrilMS

src/client/Microsoft.Identity.Client/Instance/Discovery/NetworkMetadataProvider.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Linq;
 using System.Globalization;
+using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Identity.Client.Http;
 using Microsoft.Identity.Client.OAuth2;
@@ -21,15 +22,24 @@ internal class NetworkMetadataProvider : INetworkMetadataProvider
         private readonly IHttpManager _httpManager;
         private readonly INetworkCacheMetadataProvider _networkCacheMetadataProvider;
         private readonly Uri _userProvidedInstanceDiscoveryUri; // can be null
+        private readonly int _instanceDiscoveryTimeoutMs;
+
+        /// <summary>
+        /// Default timeout for instance discovery network calls.
+        /// Prevents waiting for the full HttpClient timeout (100s) when the discovery endpoint is unreachable.
+        /// </summary>
+        internal const int DefaultInstanceDiscoveryTimeoutMs = 10_000;
 
         public NetworkMetadataProvider(
             IHttpManager httpManager,
             INetworkCacheMetadataProvider networkCacheMetadataProvider,
-            Uri userProvidedInstanceDiscoveryUri = null)
+            Uri userProvidedInstanceDiscoveryUri = null,
+            int instanceDiscoveryTimeoutMs = DefaultInstanceDiscoveryTimeoutMs)
         {
             _httpManager = httpManager ?? throw new ArgumentNullException(nameof(httpManager));
             _networkCacheMetadataProvider = networkCacheMetadataProvider ?? throw new ArgumentNullException(nameof(networkCacheMetadataProvider));
             _userProvidedInstanceDiscoveryUri = userProvidedInstanceDiscoveryUri; // can be null
+            _instanceDiscoveryTimeoutMs = instanceDiscoveryTimeoutMs;
         }
 
         public async Task<InstanceDiscoveryMetadataEntry> GetMetadataAsync(Uri authority, RequestContext requestContext)
@@ -83,11 +93,25 @@ private async Task<InstanceDiscoveryResponse> SendInstanceDiscoveryRequestAsync(
 
             Uri instanceDiscoveryEndpoint = ComputeHttpEndpoint(authority, requestContext);
 
-            InstanceDiscoveryResponse discoveryResponse = await client
-                .DiscoverAadInstanceAsync(instanceDiscoveryEndpoint, requestContext)
-                .ConfigureAwait(false);
+            using var timeoutCts = new CancellationTokenSource(_instanceDiscoveryTimeoutMs);
+            using var linkedCts = CancellationTokenSource.CreateLinkedTokenSource(
+                requestContext.UserCancellationToken, timeoutCts.Token);
 
-            return discoveryResponse;
+            CancellationToken originalToken = requestContext.UserCancellationToken;
+            requestContext.UserCancellationToken = linkedCts.Token;
+
+            try
+            {
+                InstanceDiscoveryResponse discoveryResponse = await client
+                    .DiscoverAadInstanceAsync(instanceDiscoveryEndpoint, requestContext)
+                    .ConfigureAwait(false);
+
+                return discoveryResponse;
+            }
+            finally
+            {
+                requestContext.UserCancellationToken = originalToken;
+            }
         }
 
         private Uri ComputeHttpEndpoint(Uri authority, RequestContext requestContext)

src/client/Microsoft.Identity.Client/Internal/RequestContext.cs

@@ -27,12 +27,12 @@ internal class RequestContext
         /// </summary>
         public ApiEvent ApiEvent { get; set; }
 
-        public CancellationToken UserCancellationToken { get; }
+        public CancellationToken UserCancellationToken { get; set; }
 
         public X509Certificate2 MtlsCertificate { get; }
 
         public bool IsAttestationRequested { get; set; }
-        
+
         public bool IsMtlsRequested { get; set; }
 
         public RequestContext(IServiceBundle serviceBundle, Guid correlationId, X509Certificate2 mtlsCertificate, CancellationToken cancellationToken = default)

tests/Microsoft.Identity.Test.Unit/PublicApiTests/InstanceDiscoveryTests.cs

@@ -212,5 +212,47 @@ public async Task InstanceDiscoveryFailure_IsCached_NotRetriedOnSubsequentCalls_
                 // MockHttpManager.Dispose() asserts all handlers were consumed and no extra calls were made
             }
         }
+
+        [TestMethod]
+        [WorkItem(5805)] // https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/5805
+        public async Task InstanceDiscoveryTimeout_FallsBackAndCachesResult_Async()
+        {
+            using (var httpManager = new MockHttpManager(disableInternalRetries: true))
+            {
+                // Arrange - use an authority unknown to MSAL so instance discovery goes to the network
+                var app = ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
+                                                              .WithAuthority(TestConstants.AuthorityNotKnownTenanted)
+                                                              .WithClientSecret(TestConstants.ClientSecret)
+                                                              .WithHttpManager(httpManager)
+                                                              .BuildConcrete();
+
+                // First call: instance discovery times out (TaskCanceledException is what HttpClient
+                // throws on timeout), then token endpoint succeeds
+                httpManager.AddMockHandler(new MockHttpMessageHandler()
+                {
+                    ExpectedMethod = HttpMethod.Get,
+                    ExceptionToThrow = new TaskCanceledException("simulated timeout")
+                });
+                httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage();
+
+                var result1 = await app.AcquireTokenForClient(TestConstants.s_scope.ToArray())
+                                       .ExecuteAsync(CancellationToken.None)
+                                       .ConfigureAwait(false);
+
+                Assert.AreEqual(TokenSource.IdentityProvider, result1.AuthenticationResultMetadata.TokenSource);
+
+                // Second call with a different scope to force a new token request from the STS.
+                // Only mock the token endpoint — NO instance discovery mock.
+                // If instance discovery were retried, the test would fail because
+                // MockHttpManager would receive an unexpected HTTP call.
+                httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage();
+
+                var result2 = await app.AcquireTokenForClient(TestConstants.s_scopeForAnotherResource.ToArray())
+                                       .ExecuteAsync(CancellationToken.None)
+                                       .ConfigureAwait(false);
+
+                Assert.AreEqual(TokenSource.IdentityProvider, result2.AuthenticationResultMetadata.TokenSource);
+            }
+        }
     }
 }