.Net: Fix #13183: .NET — Kernel.AddOpenAIChatClient throws an error when us…

[iangithub]

Motivation and Context

1. Why is this change required?
   When using AddOpenAIChatClient with a custom endpoint parameter but without providing a custom httpClient, the code would create an HttpClient without setting its BaseAddress property. This mismatch between the HttpClient configuration and the OpenAIClientOptions.Endpoint setting causes SSL/TLS handshake failures.

2. What problem does it solve?
   This PR fixes the SSL connection error (System.ClientModel.ClientResultException: The SSL connection could not be established) that occurs when users call:

var kernel = Kernel.CreateBuilder()
    .AddOpenAIChatClient(
        modelId: "model-name",
        apiKey: "api-key",
        endpoint: new Uri("https://custom-endpoint.com")
    )
    .Build();

3. What scenario does it contribute to?
   This enables users to easily connect to OpenAI-compatible endpoints (such as Azure OpenAI, local LLM servers, or other OpenAI-compatible APIs) without having to manually create and configure an HttpClient instance.
   Fixes SSL connection failures when using custom endpoints with the default HttpClient.

4. Related Issue:
   .Net: Bug: Kernel.AddOpenAIChatClient with default httpClient produces error #13183

Description

Changes made:

Fixed invalid GetOpenAIClientOptions call in the first overload (lines 40-77):

Removed the unused GetOpenAIClientOptions call at lines 56-59
Added missing endpoint and orgId parameters to the GetOpenAIClientOptions call used in OpenAIClient construction
Fixed SSL issue in the third overload with custom endpoint (lines 125-170):

Added logic to ensure the HttpClient has the correct BaseAddress when using a custom endpoint
When no custom httpClient is provided and the default client has no BaseAddress, creates a new HttpClient with BaseAddress set to the provided endpoint
This ensures consistency between the HttpClient.BaseAddress and OpenAIClientOptions.Endpoint, preventing SSL certificate validation failures
Verified AddOpenAIEmbeddingGenerator methods:

Confirmed both overloads are correctly implemented with no similar issues

The root cause was that HttpClientPipelineTransport uses the HttpClient for making requests, but when the HttpClient.BaseAddress is null and the endpoint is only set in OpenAIClientOptions.Endpoint, the SSL/TLS handshake fails due to hostname mismatch during certificate validation.

The fix ensures that when a custom endpoint is provided, the HttpClient is properly configured with the matching BaseAddress, allowing SSL/TLS to validate the certificate correctly.

Contribution Checklist

• [V ] The code builds clean without any errors or warnings
• [ V] The PR follows the SK Contribution Guidelines and the pre-submission formatting script raises no violations
• [V ] All unit tests pass, and I have added new tests where possible
• [V ] I didn't break anyone 😄

[markwallace-microsoft]

@iangithub Please run dotnet format and commit the updates

[westey-m]

Should we also check here if BaseAddress != endpoint?
I would expect that if a base address is set, but it isn't what the caller requested via endpoint, then we should not use the default client, but also create a new one with the desired alternative endpoint.

[iangithub]

I think the issue is that AddOpenAIChatClient has both endpoint and httpClient. When these two settings are not consistent, it causes confusion about which one should take priority. For example, if both endpoint and httpClient are provided but httpClient.BaseAddress ≠ endpoint, this leads to a conflict.

[westey-m]

Sure, but in this case only endpoint is being provided . The client from DI is the one that may potentially have a different base address set.