[Bug] MergedOptions UpdateMergedOptionsFromMicrosoftIdentityOptions error

[JadynWong]

Which version of Microsoft Identity Web are you using?
Note that to get help, you need to run the latest version.
1.11.0
1.10.0

Where is the issue?

• Web app
  • Sign-in users
  • Sign-in users and call web APIs
• Web API
  • Protected web APIs (validating tokens)
  • Protected web APIs (validating scopes)
  • Protected web APIs call downstream web APIs
• Token cache serialization
  • In-memory caches
  • Session caches
  • Distributed caches
• Other (please describe)

Is this a new or an existing app?
The app is in development and I have upgraded to a new version of Microsoft Identity Web.

Repro

context.Services.AddAuthentication()
                .AddMicrosoftIdentityWebApp(
                    configuration: configuration,
                    configSectionName: "AzureAd",
                    openIdConnectScheme: OpenIdConnectDefaults.AuthenticationScheme,
                    cookieScheme: null,
                    subscribeToOpenIdConnectMiddlewareDiagnosticsEvents: false
                );

  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "contoso.com",
    "TenantId": "xxxxxxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "ClientId": "xxxxxxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "ClientSecret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "CallbackPath": "/signin-oidc",
    "SignedOutCallbackPath ": "/signout-callback-oidc",
    "ResponseType": "code id_token",
    "Scope": [ "email" ]
  },

microsoft-identity-web/src/Microsoft.Identity.Web/WebAppExtensions/MicrosoftIdentityWebAppAuthenticationBuilderExtensions.cs

Lines 275 to 291 in 222e76a

	builder.Services.AddOptions<OpenIdConnectOptions>(openIdConnectScheme)
	.Configure<IServiceProvider, IOptionsMonitor<MergedOptions>, IOptionsMonitor<MicrosoftIdentityOptions>, IOptions<MicrosoftIdentityOptions>>((
	options,
	serviceProvider,
	mergedOptionsMonitor,
	msIdOptionsMonitor,
	msIdOptions) =>
	{
	MergedOptions mergedOptions = mergedOptionsMonitor.Get(openIdConnectScheme);
	MergedOptions.UpdateMergedOptionsFromMicrosoftIdentityOptions(msIdOptions.Value, mergedOptions);
	MergedOptions.UpdateMergedOptionsFromMicrosoftIdentityOptions(msIdOptionsMonitor.Get(openIdConnectScheme), mergedOptions);
	MergedOptionsValidation.Validate(mergedOptions);
	PopulateOpenIdOptionsFromMergedOptions(options, mergedOptions);
	var b2cOidcHandlers = new AzureADB2COpenIDConnectEventHandlers(

microsoft-identity-web/src/Microsoft.Identity.Web/MergedOptions.cs

Lines 184 to 192 in 222e76a

	if (string.IsNullOrEmpty(mergedOptions.ResponseMode) && !string.IsNullOrEmpty(microsoftIdentityOptions.ResponseMode))
	{
	mergedOptions.ResponseMode = microsoftIdentityOptions.ResponseMode;
	}
	if (string.IsNullOrEmpty(mergedOptions.ResponseType) && !string.IsNullOrEmpty(microsoftIdentityOptions.ResponseType))
	{
	mergedOptions.ResponseType = microsoftIdentityOptions.ResponseType;
	}

Expected behavior
ResponseType should is code id_token
Scope should is openid profile email

Actual behavior
ResponseType should is id_token
Scope should is openid profile

Possible solution

 Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
    options.Scope.Add("email");
    options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
});

Some properties of OpenIdConnectOptions have default values, such as ResponseType,Scope,ResponseMode etc.
There are some problems with the current MergedOptions method.

Additional context / logs / screenshots

[jmprieur]

Thanks @JadynWong for the heads-up and for your analysis

[jmprieur]

@JadynWong: this is fixed in 1.12.0