From 80f660053da9d92e62178e08d7a5451b117d944a Mon Sep 17 00:00:00 2001
From: kawa <us.fame.sq@gmail.com>
Date: Tue, 9 Jun 2026 17:32:58 +0200
Subject: [PATCH] Strip quotes/whitespace from Oidc config values
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

docker-compose's `environment` list form embeds literal quotes in the value
(`- Oidc__TenantId="<guid>"` → the value is "<guid>" with quotes), producing a
malformed Authority URL (…/"<tenant>"/v2.0). Metadata discovery then fails with
IDX20803 and the Microsoft sign-in challenge 500s. The same trap on ClientSecret
would silently break the token exchange.

Trim surrounding quotes and whitespace from TenantId, ClientId and ClientSecret
so a quoted env var no longer breaks OIDC.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 Program.cs | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/Program.cs b/Program.cs
index 9321fab..b6ac86c 100644
--- a/Program.cs
+++ b/Program.cs
@@ -110,9 +110,14 @@ else
     .AddOpenIdConnect(options =>
     {
         var oidc = builder.Configuration.GetSection("Oidc");
-        options.Authority    = $"https://login.microsoftonline.com/{oidc["TenantId"]}/v2.0";
-        options.ClientId     = oidc["ClientId"];
-        options.ClientSecret = oidc["ClientSecret"];
+        // Strip accidental surrounding quotes/whitespace. docker-compose's `environment` list form
+        // (`- Oidc__TenantId="<guid>"`) embeds the literal quotes in the value, producing a malformed
+        // Authority (…/"<tenant>"/v2.0) that fails metadata discovery with IDX20803. Same trap on the
+        // secret would silently break the token exchange. Trim defensively.
+        static string Clean(string? v) => v?.Trim().Trim('"', '\'') ?? string.Empty;
+        options.Authority    = $"https://login.microsoftonline.com/{Clean(oidc["TenantId"])}/v2.0";
+        options.ClientId     = Clean(oidc["ClientId"]);
+        options.ClientSecret = Clean(oidc["ClientSecret"]);
         options.ResponseType = OpenIdConnectResponseType.Code;
         // Do NOT persist the OIDC access/id/refresh tokens in the auth cookie. They are
         // never read (SharePoint/Graph auth runs through the separate connect flow +