.Net: Fix #13183: .NET — Kernel.AddOpenAIChatClient throws an error when us…

[iangithub]

Motivation and Context

1. Why is this change required?
   When using AddOpenAIChatClient with a custom endpoint parameter but without providing a custom httpClient, the code would create an HttpClient without setting its BaseAddress property. This mismatch between the HttpClient configuration and the OpenAIClientOptions.Endpoint setting causes SSL/TLS handshake failures.

2. What problem does it solve?
   This PR fixes the SSL connection error (System.ClientModel.ClientResultException: The SSL connection could not be established) that occurs when users call:

var kernel = Kernel.CreateBuilder()
    .AddOpenAIChatClient(
        modelId: "model-name",
        apiKey: "api-key",
        endpoint: new Uri("https://custom-endpoint.com")
    )
    .Build();

3. What scenario does it contribute to?
   This enables users to easily connect to OpenAI-compatible endpoints (such as Azure OpenAI, local LLM servers, or other OpenAI-compatible APIs) without having to manually create and configure an HttpClient instance.
   Fixes SSL connection failures when using custom endpoints with the default HttpClient.

4. Related Issue:
   .Net: Bug: Kernel.AddOpenAIChatClient with default httpClient produces error #13183

Description

Changes made:

Fixed invalid GetOpenAIClientOptions call in the first overload (lines 40-77):

Removed the unused GetOpenAIClientOptions call at lines 56-59
Added missing endpoint and orgId parameters to the GetOpenAIClientOptions call used in OpenAIClient construction
Fixed SSL issue in the third overload with custom endpoint (lines 125-170):

Added logic to ensure the HttpClient has the correct BaseAddress when using a custom endpoint
When no custom httpClient is provided and the default client has no BaseAddress, creates a new HttpClient with BaseAddress set to the provided endpoint
This ensures consistency between the HttpClient.BaseAddress and OpenAIClientOptions.Endpoint, preventing SSL certificate validation failures
Verified AddOpenAIEmbeddingGenerator methods:

Confirmed both overloads are correctly implemented with no similar issues

The root cause was that HttpClientPipelineTransport uses the HttpClient for making requests, but when the HttpClient.BaseAddress is null and the endpoint is only set in OpenAIClientOptions.Endpoint, the SSL/TLS handshake fails due to hostname mismatch during certificate validation.

The fix ensures that when a custom endpoint is provided, the HttpClient is properly configured with the matching BaseAddress, allowing SSL/TLS to validate the certificate correctly.

Contribution Checklist

• [V ] The code builds clean without any errors or warnings
• [ V] The PR follows the SK Contribution Guidelines and the pre-submission formatting script raises no violations
• [V ] All unit tests pass, and I have added new tests where possible
• [V ] I didn't break anyone 😄