Add unit tests with HTTP mocking for vanilla dSTS scenarios

Adds 7 HTTP-mocked unit tests for the vanilla dSTS (Dedicated Security Token Service) token-acquisition path in Microsoft.Identity.Web.

Per PR review feedback, dSTS users MUST configure 'Instance' (e.g. "https://{host}/dstsv2") and 'TenantId' separately. The single-string 'Authority' option is reserved for vanilla OIDC / CIAM scenarios and routes through MSAL.WithOidcAuthority(), which is incompatible with dSTS; configuring a dSTS-style URL there now throws an InvalidOperationException with a clear, actionable error message instead of letting MSAL surface its opaque "DSTS authority URI should have at least 2 segments..." error later.

Tests cover (canonical Instance + TenantId shape):

  1. Token endpoint URI lock (POST to https://{host}/dstsv2/{tenant}/oauth2/v2.0/token)

  2. Client_credentials grant body (grant_type, scope, client_id, client_secret)

  3. Second-call cache hit (only one mock handler registered)

  4. OAuth2 token-endpoint error -> MsalServiceException mapping

  5. SendX5C=true -> client_assertion JWT header includes x5c

  6. SendX5C=false -> x5c omitted

Plus 1 negative test:

  7. Configuring dSTS URL via 'Authority' option -> InvalidOperationException with clear guidance to use Instance + TenantId

All tests use the existing MockHttpClientFactory infrastructure (no real network / Key Vault / cert) and run in any CI environment.

Implementation change in MergedOptions.ParseAuthorityIfNecessary: detects dSTS-shaped Authority (path segment "dstsv2") and throws an InvalidOperationException with a message that points users to the canonical Instance+TenantId shape. No public API changes.

Author: Zhan Li

src/Microsoft.Identity.Web.TokenAcquisition/MergedOptions.cs

@@ -20,11 +20,11 @@ namespace Microsoft.Identity.Web
     /// Options for configuring authentication using Azure Active Directory. It has both AAD and B2C configuration attributes.
     /// Merges the MicrosoftIdentityWebOptions and the ConfidentialClientApplicationOptions.
     /// </summary>
-    /*
-     * Used by Microsoft.Identity.Web, Microsoft.Identity.Web.OWIN
-     * Any changes to this member (including removal) can cause runtime failures.
-     * Treat as a public member.
-     */
+    /*
+     * Used by Microsoft.Identity.Web, Microsoft.Identity.Web.OWIN
+     * Any changes to this member (including removal) can cause runtime failures.
+     * Treat as a public member.
+     */
     internal sealed class MergedOptions : MicrosoftIdentityOptions
     {
         private ConfidentialClientApplicationOptions? _confidentialClientApplicationOptions;
@@ -63,18 +63,18 @@ public ConfidentialClientApplicationOptions ConfidentialClientApplicationOptions
         public LogLevel LogLevel { get; set; }
         public string? RedirectUri { get; set; }
         public bool EnableCacheSynchronization { get; set; }
-        /*
-         * Used by Microsoft.Identity.Web.OWIN
-         * Any changes to this member (including removal) can cause runtime failures.
-         * Treat as a public member.
-         */
+        /*
+         * Used by Microsoft.Identity.Web.OWIN
+         * Any changes to this member (including removal) can cause runtime failures.
+         * Treat as a public member.
+         */
         internal bool MergedWithCca { get; set; }
         // This is for supporting for CIAM authorities including custom url domains, see https://github.com/AzureAD/microsoft-identity-web/issues/2690
-        /*
-         * Used by Microsoft.Identity.Web
-         * Any changes to this member (including removal) can cause runtime failures.
-         * Treat as a public member.
-         */
+        /*
+         * Used by Microsoft.Identity.Web
+         * Any changes to this member (including removal) can cause runtime failures.
+         * Treat as a public member.
+         */
         internal bool PreserveAuthority { get; set; }
 
         /// <summary>
@@ -353,11 +353,11 @@ internal static void UpdateMergedOptionsFromMicrosoftIdentityOptions(MicrosoftId
             }
         }
 
-        /*
-         * Used by Microsoft.Identity.Web
-         * Any changes to this member (including removal) can cause runtime failures.
-         * Treat as a public member.
-         */
+        /*
+         * Used by Microsoft.Identity.Web
+         * Any changes to this member (including removal) can cause runtime failures.
+         * Treat as a public member.
+         */
         internal static void UpdateMergedOptionsFromConfidentialClientApplicationOptions(ConfidentialClientApplicationOptions confidentialClientApplicationOptions, MergedOptions mergedOptions)
         {
             mergedOptions.MergedWithCca = true;
@@ -466,11 +466,11 @@ internal static void UpdateConfidentialClientApplicationOptionsFromMergedOptions
             }
         }
 
-        /*
-         * Used by Microsoft.Identity.Web.OWIN
-         * Any changes to this member (including removal) can cause runtime failures.
-         * Treat as a public member.
-         */
+        /*
+         * Used by Microsoft.Identity.Web.OWIN
+         * Any changes to this member (including removal) can cause runtime failures.
+         * Treat as a public member.
+         */
         internal static void ParseAuthorityIfNecessary(MergedOptions mergedOptions, IdWebLogger.ILogger? logger = null)
         {
             // Check if Authority is configured but being ignored due to Instance/TenantId taking precedence
@@ -504,6 +504,28 @@ internal static void ParseAuthorityIfNecessary(MergedOptions mergedOptions, IdWe
                     int indexVersion = authoritySpan.Slice(indexTenant + 1).IndexOf('/');
                     int indexEndOfTenant = indexVersion == -1 ? authoritySpan.Length : indexVersion + indexTenant + 1;
 
+                    // dSTS authorities have the shape https://{host}/dstsv2/{tenantGuid}, i.e. TWO path
+                    // segments instead of the AAD-style single segment. By design (cf. PR review),
+                    // the single 'Authority' string is reserved for vanilla OIDC / CIAM scenarios,
+                    // which route through MSAL.WithOidcAuthority() — a path that is incompatible with
+                    // dSTS. dSTS users MUST configure 'Instance' and 'TenantId' separately so that
+                    // the request flows through MSAL.WithAuthority() instead.
+                    //
+                    // Detecting the "dstsv2" path segment here lets us bail with a clear, actionable
+                    // error message instead of letting the generic AAD parser silently drop the
+                    // tenant GUID, which would surface later as MSAL's opaque
+                    //   "The DSTS authority URI should have at least 2 segments..."
+                    ReadOnlySpan<char> firstPathSegment = authoritySpan.Slice(indexTenant + 1, indexEndOfTenant - indexTenant - 1);
+                    if (firstPathSegment.Equals("dstsv2".AsSpan(), StringComparison.OrdinalIgnoreCase))
+                    {
+                        throw new InvalidOperationException(
+                            "Configuring a dSTS authority via the single 'Authority' option is not supported. " +
+                            "The 'Authority' option targets vanilla OIDC / CIAM scenarios and routes through " +
+                            "MSAL.WithOidcAuthority(), which is incompatible with dSTS. " +
+                            "For dSTS, configure 'Instance' (e.g. \"https://{host}/dstsv2\") and 'TenantId' " +
+                            "(the dSTS tenant GUID) separately so the request flows through MSAL.WithAuthority().");
+                    }
+
                     // In CIAM and B2C, customers will use "authority", not Instance and TenantId
                     mergedOptions.Instance = mergedOptions.PreserveAuthority ? mergedOptions.Authority! : authoritySpan.Slice(0, indexTenant).ToString();
                     mergedOptions.TenantId = mergedOptions.PreserveAuthority ? null : authoritySpan.Slice(indexTenant + 1, indexEndOfTenant - indexTenant - 1).ToString();