Implement binding for ExtraHeaderParameters and ExtraQueryParameters in BindableDownstreamApiOptions (#3563)

* Implement binding for ExtraHeaderParameters and ExtraQueryParameters in BindableDownstreamApiOptions

Co-authored-by: keegan-caruso <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: keegan-caruso <[email protected]>
Co-authored-by: Keegan Caruso <[email protected]>
Co-authored-by: Jean-Marc Prieur <[email protected]>
Co-authored-by: Keegan <[email protected]>

Author: 4 people

src/Microsoft.Identity.Web.Sidecar/DownstreamApiOptionsMerger.cs

@@ -63,6 +63,30 @@ public static DownstreamApiOptions MergeOptions(DownstreamApiOptions left, Downs
             }
         }
 
+        if (right.ExtraHeaderParameters is not null)
+        {
+            if (res.ExtraHeaderParameters is null)
+            {
+                res.ExtraHeaderParameters = new Dictionary<string, string>();
+            }
+            foreach (var extraHeader in right.ExtraHeaderParameters)
+            {
+                res.ExtraHeaderParameters[extraHeader.Key] = extraHeader.Value;
+            }
+        }
+
+        if (right.ExtraQueryParameters is not null)
+        {
+            if (res.ExtraQueryParameters is null)
+            {
+                res.ExtraQueryParameters = new Dictionary<string, string>();
+            }
+            foreach (var extraQueryParam in right.ExtraQueryParameters)
+            {
+                res.ExtraQueryParameters[extraQueryParam.Key] = extraQueryParam.Value;
+            }
+        }
+
         return res;
     }
 }

src/Microsoft.Identity.Web.Sidecar/Models/BindableDownstreamApiOptions.cs

@@ -121,6 +121,26 @@ public BindableDownstreamApiOptions()
             {
                 result.AcceptHeader = values.LastOrDefault() ?? string.Empty;
             }
+            else if (path.StartsWith("ExtraHeaderParameters.", StringComparison.OrdinalIgnoreCase))
+            {
+                var headerKey = path.Substring("ExtraHeaderParameters.".Length);
+                var headerValue = values.LastOrDefault();
+                if (!string.IsNullOrEmpty(headerKey) && !string.IsNullOrEmpty(headerValue))
+                {
+                    result.ExtraHeaderParameters ??= new Dictionary<string, string>();
+                    result.ExtraHeaderParameters[headerKey] = headerValue;
+                }
+            }
+            else if (path.StartsWith("ExtraQueryParameters.", StringComparison.OrdinalIgnoreCase))
+            {
+                var queryKey = path.Substring("ExtraQueryParameters.".Length);
+                var queryValue = values.LastOrDefault();
+                if (!string.IsNullOrEmpty(queryKey) && !string.IsNullOrEmpty(queryValue))
+                {
+                    result.ExtraQueryParameters ??= new Dictionary<string, string>();
+                    result.ExtraQueryParameters[queryKey] = queryValue;
+                }
+            }
         }
 
         return ValueTask.FromResult<BindableDownstreamApiOptions?>(result);

tests/E2E Tests/Sidecar.Tests/DownstreamApiEndpointTests.cs

@@ -631,4 +631,149 @@ public async Task DownstreamApi_WithNonExistentApiName_ReturnsBadRequestWithProb
         // Just verify it returns 400 - that's sufficient for this test
     }
 
+    [Fact]
+    public async Task DownstreamApi_WithExtraHeaderParametersOverride_PassesHeadersToOptionsAsync()
+    {
+        // Arrange
+        var responseContent = "{\"result\": \"success\"}";
+        var mockResponse = new HttpResponseMessage(HttpStatusCode.OK)
+        {
+            Content = new StringContent(responseContent, Encoding.UTF8, "application/json")
+        };
+
+        DownstreamApiOptions? capturedOptions = null;
+        var mockDownstreamApi = new Mock<IDownstreamApi>();
+        mockDownstreamApi
+            .Setup(x => x.CallApiAsync(It.IsAny<DownstreamApiOptions>(), It.IsAny<System.Security.Claims.ClaimsPrincipal>(), It.IsAny<HttpContent>(), It.IsAny<CancellationToken>()))
+            .Callback<DownstreamApiOptions, System.Security.Claims.ClaimsPrincipal, HttpContent?, CancellationToken>((options, _, _, _) =>
+            {
+                capturedOptions = options;
+            })
+            .ReturnsAsync(mockResponse);
+
+        var client = _factory.WithWebHostBuilder(builder =>
+        {
+            builder.ConfigureServices(services =>
+            {
+                TestAuthenticationHandler.AddAlwaysSucceedTestAuthentication(services);
+
+                services.Configure<DownstreamApiOptions>("test-api", options =>
+                {
+                    options.BaseUrl = "https://api.example.com";
+                    options.Scopes = ["user.read"];
+                });
+
+                services.AddSingleton(mockDownstreamApi.Object);
+            });
+        }).CreateClient();
+
+        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", "valid-token");
+
+        // Act
+        var response = await client.PostAsync("/DownstreamApi/test-api?OptionsOverride.ExtraHeaderParameters.X-Custom-Header=test-value&OptionsOverride.ExtraHeaderParameters.OData-Version=4.0", null);
+
+        // Assert
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        Assert.NotNull(capturedOptions?.ExtraHeaderParameters);
+        Assert.Equal("test-value", capturedOptions.ExtraHeaderParameters["X-Custom-Header"]);
+        Assert.Equal("4.0", capturedOptions.ExtraHeaderParameters["OData-Version"]);
+    }
+
+    [Fact]
+    public async Task DownstreamApi_WithExtraQueryParametersOverride_PassesQueryParametersToOptionsAsync()
+    {
+        // Arrange
+        var responseContent = "{\"result\": \"success\"}";
+        var mockResponse = new HttpResponseMessage(HttpStatusCode.OK)
+        {
+            Content = new StringContent(responseContent, Encoding.UTF8, "application/json")
+        };
+
+        DownstreamApiOptions? capturedOptions = null;
+        var mockDownstreamApi = new Mock<IDownstreamApi>();
+        mockDownstreamApi
+            .Setup(x => x.CallApiAsync(It.IsAny<DownstreamApiOptions>(), It.IsAny<System.Security.Claims.ClaimsPrincipal>(), It.IsAny<HttpContent>(), It.IsAny<CancellationToken>()))
+            .Callback<DownstreamApiOptions, System.Security.Claims.ClaimsPrincipal, HttpContent?, CancellationToken>((options, _, _, _) =>
+            {
+                capturedOptions = options;
+            })
+            .ReturnsAsync(mockResponse);
+
+        var client = _factory.WithWebHostBuilder(builder =>
+        {
+            builder.ConfigureServices(services =>
+            {
+                TestAuthenticationHandler.AddAlwaysSucceedTestAuthentication(services);
+
+                services.Configure<DownstreamApiOptions>("test-api", options =>
+                {
+                    options.BaseUrl = "https://api.example.com";
+                    options.Scopes = ["user.read"];
+                });
+
+                services.AddSingleton(mockDownstreamApi.Object);
+            });
+        }).CreateClient();
+
+        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", "valid-token");
+
+        // Act
+        var response = await client.PostAsync("/DownstreamApi/test-api?OptionsOverride.ExtraQueryParameters.param1=value1&OptionsOverride.ExtraQueryParameters.param2=value2", null);
+
+        // Assert
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        Assert.NotNull(capturedOptions?.ExtraQueryParameters);
+        Assert.Equal("value1", capturedOptions.ExtraQueryParameters["param1"]);
+        Assert.Equal("value2", capturedOptions.ExtraQueryParameters["param2"]);
+    }
+
+    [Fact]
+    public async Task DownstreamApi_WithBothExtraHeaderAndQueryParametersOverride_PassesBothToOptionsAsync()
+    {
+        // Arrange
+        var responseContent = "{\"result\": \"success\"}";
+        var mockResponse = new HttpResponseMessage(HttpStatusCode.OK)
+        {
+            Content = new StringContent(responseContent, Encoding.UTF8, "application/json")
+        };
+
+        DownstreamApiOptions? capturedOptions = null;
+        var mockDownstreamApi = new Mock<IDownstreamApi>();
+        mockDownstreamApi
+            .Setup(x => x.CallApiAsync(It.IsAny<DownstreamApiOptions>(), It.IsAny<System.Security.Claims.ClaimsPrincipal>(), It.IsAny<HttpContent>(), It.IsAny<CancellationToken>()))
+            .Callback<DownstreamApiOptions, System.Security.Claims.ClaimsPrincipal, HttpContent?, CancellationToken>((options, _, _, _) =>
+            {
+                capturedOptions = options;
+            })
+            .ReturnsAsync(mockResponse);
+
+        var client = _factory.WithWebHostBuilder(builder =>
+        {
+            builder.ConfigureServices(services =>
+            {
+                TestAuthenticationHandler.AddAlwaysSucceedTestAuthentication(services);
+
+                services.Configure<DownstreamApiOptions>("test-api", options =>
+                {
+                    options.BaseUrl = "https://api.example.com";
+                    options.Scopes = ["user.read"];
+                });
+
+                services.AddSingleton(mockDownstreamApi.Object);
+            });
+        }).CreateClient();
+
+        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", "valid-token");
+
+        // Act
+        var response = await client.PostAsync("/DownstreamApi/test-api?OptionsOverride.ExtraHeaderParameters.X-Test=header-val&OptionsOverride.ExtraQueryParameters.qparam=query-val", null);
+
+        // Assert
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        Assert.NotNull(capturedOptions?.ExtraHeaderParameters);
+        Assert.NotNull(capturedOptions?.ExtraQueryParameters);
+        Assert.Equal("header-val", capturedOptions.ExtraHeaderParameters["X-Test"]);
+        Assert.Equal("query-val", capturedOptions.ExtraQueryParameters["qparam"]);
+    }
+
 }

tests/E2E Tests/Sidecar.Tests/DownstreamApiOptionsMergeTests.cs

@@ -379,4 +379,178 @@ public void MergeDownstreamApiOptionsOverrides_WithEmptyStringOverrides_DoesNotO
         Assert.Equal("original-tenant", result.AcquireTokenOptions.Tenant);
         Assert.Equal("original-claims", result.AcquireTokenOptions.Claims);
     }
+
+    [Fact]
+    public void MergeDownstreamApiOptionsOverrides_WithExtraHeaderParameters_MergesHeaderParameters()
+    {
+        // Arrange
+        var left = new DownstreamApiOptions
+        {
+            ExtraHeaderParameters = new Dictionary<string, string>
+            {
+                { "Header1", "Value1" },
+                { "Header2", "Value2" }
+            }
+        };
+        var right = new DownstreamApiOptions
+        {
+            ExtraHeaderParameters = new Dictionary<string, string>
+            {
+                { "Header3", "Value3" },
+                { "Header4", "Value4" }
+            }
+        };
+
+        // Act
+        var result = DownstreamApiOptionsMerger.MergeOptions(left, right);
+
+        // Assert
+        Assert.NotNull(result.ExtraHeaderParameters);
+        Assert.Equal(4, result.ExtraHeaderParameters.Count);
+        Assert.Equal("Value1", result.ExtraHeaderParameters["Header1"]);
+        Assert.Equal("Value2", result.ExtraHeaderParameters["Header2"]);
+        Assert.Equal("Value3", result.ExtraHeaderParameters["Header3"]);
+        Assert.Equal("Value4", result.ExtraHeaderParameters["Header4"]);
+    }
+
+    [Fact]
+    public void MergeDownstreamApiOptionsOverrides_WithExtraHeaderParametersConflict_OverwritesWithRight()
+    {
+        // Arrange
+        var left = new DownstreamApiOptions
+        {
+            ExtraHeaderParameters = new Dictionary<string, string>
+            {
+                { "Header1", "OriginalValue" }
+            }
+        };
+        var right = new DownstreamApiOptions
+        {
+            ExtraHeaderParameters = new Dictionary<string, string>
+            {
+                { "Header1", "NewValue" },
+                { "Header2", "Value2" }
+            }
+        };
+
+        // Act
+        var result = DownstreamApiOptionsMerger.MergeOptions(left, right);
+
+        // Assert
+        Assert.NotNull(result.ExtraHeaderParameters);
+        Assert.Equal("NewValue", result.ExtraHeaderParameters["Header1"]);
+        Assert.Equal("Value2", result.ExtraHeaderParameters["Header2"]);
+    }
+
+    [Fact]
+    public void MergeDownstreamApiOptionsOverrides_WithExtraQueryParameters_MergesQueryParameters()
+    {
+        // Arrange
+        var left = new DownstreamApiOptions
+        {
+            ExtraQueryParameters = new Dictionary<string, string>
+            {
+                { "param1", "value1" },
+                { "param2", "value2" }
+            }
+        };
+        var right = new DownstreamApiOptions
+        {
+            ExtraQueryParameters = new Dictionary<string, string>
+            {
+                { "param3", "value3" },
+                { "param4", "value4" }
+            }
+        };
+
+        // Act
+        var result = DownstreamApiOptionsMerger.MergeOptions(left, right);
+
+        // Assert
+        Assert.NotNull(result.ExtraQueryParameters);
+        Assert.Equal(4, result.ExtraQueryParameters.Count);
+        Assert.Equal("value1", result.ExtraQueryParameters["param1"]);
+        Assert.Equal("value2", result.ExtraQueryParameters["param2"]);
+        Assert.Equal("value3", result.ExtraQueryParameters["param3"]);
+        Assert.Equal("value4", result.ExtraQueryParameters["param4"]);
+    }
+
+    [Fact]
+    public void MergeDownstreamApiOptionsOverrides_WithExtraQueryParametersConflict_OverwritesWithRight()
+    {
+        // Arrange
+        var left = new DownstreamApiOptions
+        {
+            ExtraQueryParameters = new Dictionary<string, string>
+            {
+                { "param1", "original-value" }
+            }
+        };
+        var right = new DownstreamApiOptions
+        {
+            ExtraQueryParameters = new Dictionary<string, string>
+            {
+                { "param1", "new-value" },
+                { "param2", "value2" }
+            }
+        };
+
+        // Act
+        var result = DownstreamApiOptionsMerger.MergeOptions(left, right);
+
+        // Assert
+        Assert.NotNull(result.ExtraQueryParameters);
+        Assert.Equal("new-value", result.ExtraQueryParameters["param1"]);
+        Assert.Equal("value2", result.ExtraQueryParameters["param2"]);
+    }
+
+    [Fact]
+    public void MergeDownstreamApiOptionsOverrides_WithRightExtraHeaderParametersButLeftNull_CreatesNewDictionary()
+    {
+        // Arrange
+        var left = new DownstreamApiOptions
+        {
+            ExtraHeaderParameters = null
+        };
+        var right = new DownstreamApiOptions
+        {
+            ExtraHeaderParameters = new Dictionary<string, string>
+            {
+                { "Header1", "Value1" }
+            }
+        };
+
+        // Act
+        var result = DownstreamApiOptionsMerger.MergeOptions(left, right);
+
+        // Assert
+        Assert.NotNull(result.ExtraHeaderParameters);
+        Assert.Single(result.ExtraHeaderParameters);
+        Assert.Equal("Value1", result.ExtraHeaderParameters["Header1"]);
+    }
+
+    [Fact]
+    public void MergeDownstreamApiOptionsOverrides_WithRightExtraQueryParametersButLeftNull_CreatesNewDictionary()
+    {
+        // Arrange
+        var left = new DownstreamApiOptions
+        {
+            ExtraQueryParameters = null
+        };
+        var right = new DownstreamApiOptions
+        {
+            ExtraQueryParameters = new Dictionary<string, string>
+            {
+                { "param1", "value1" }
+            }
+        };
+
+        // Act
+        var result = DownstreamApiOptionsMerger.MergeOptions(left, right);
+
+        // Assert
+        Assert.NotNull(result.ExtraQueryParameters);
+        Assert.Single(result.ExtraQueryParameters);
+        Assert.Equal("value1", result.ExtraQueryParameters["param1"]);
+    }
 }