[Bug] Issuer validation failed in AKS China for WorkloadIdentity auth

**Which version of MSAL Go are you using?**
v1.5.0

**Where is the issue?**
* Public client
    * [ ] Device code flow
    * [ ] Username/Password (ROPC grant)
    * [ ] Authorization code flow 
* Confidential client
    * [ ] Authorization code flow 
    * [ ] Client credentials:
        * [ ] client secret
        * [ ] client certificate
* Token cache serialization
     * [ ] In-memory cache
* Other (please describe)
     * [x] Workload Identity in AKS

**Is this a new or an existing app?**
The app is in production and I have upgraded to a new version of Microsoft Authentication Library for Go.

**What version of Go are you using (`go version`)?**
1.25

**What operating system and processor architecture are you using (`go env`)?**
Linux/amd64 (go env not available from user report)

**Repro**
Try establish authorization to AzureKeyVault via azidentity and WorkloadIdentityCredential on defult injected environment variables by China AKS (mainly AZURE_AUTHORIZED_HOST)

**Expected behavior**
WorkloadIdentity authentication and retriving access token to Azure resource (like KeyVault) should work without issue.

**Actual behavior**
Sdk failed when try retrive access token to KeyVault base on Workload Identity:

```	
WorkloadIdentityCredential: unable to resolve an endpoint: ResolveEndpoints(): TenantDiscoveryResponse: issuer from OIDC discovery '[https://login.partner.microsoftonline.cn/<my-tenant-guid>/v2.0'](https://login.partner.microsoftonline.cn/<my-tenant-guid>/v2.0%27) does not match authority '[https://login.chinacloudapi.cn/<my-tenant-guid>/'](https://login.chinacloudapi.cn/<my-tenant-guid>/%27) or a known pattern
```

It came from ValidateIssuerMatchesAuthority function: 
https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/e59524a3625784349c625cb75de443c7d4a2a94f/apps/internal/oauth/ops/authority/authority.go#L134

**Possible solution**
It looks that issuer validation method incorrectly treats legacy authorized host in China (login.chinacloudapi.cn), which is still used as default by AKS and Workload-Identity addon. 

AZURE_AUTHORIZED_HOST is set by AKS to login.chinacloudapi.cn which is on trusted host list here https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/e59524a3625784349c625cb75de443c7d4a2a94f/apps/internal/oauth/ops/authority/authority.go#L53 but issuer validation doesn's check it, but only looks to the aliases from instance discovery metadata: https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/e59524a3625784349c625cb75de443c7d4a2a94f/apps/internal/oauth/ops/authority/authority.go#L118

This could be fine but aliases aren't loaded buy this condition (base on trusted hosts): https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/e59524a3625784349c625cb75de443c7d4a2a94f/apps/internal/oauth/resolvers.go#L139

It looks that ValidateIssuerMatchesAuthority function should not only check issuerUrl on aliases list but also if it is trusted host. 
 
**Additional context / logs / screenshots**
---


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Bug] Issuer validation failed in AKS China for WorkloadIdentity auth #589

Additional context / logs / screenshots

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Bug] Issuer validation failed in AKS China for WorkloadIdentity auth #589

Description

Additional context / logs / screenshots

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions