Throw an ArgumentException if tenant is 'common' or 'organizations' for acquire token for app scenarios #795
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -86,6 +86,7 @@ public TokenAcquisition( | |
| private readonly ISet<string> _metaTenantIdentifiers = new HashSet<string>( | ||
| new[] | ||
| { | ||
| Constants.Common, | ||
| Constants.Organizations, | ||
| Constants.Consumers, | ||
| }, | ||
|
|
@@ -276,6 +277,11 @@ public async Task<string> GetAccessTokenForAppAsync( | |
| throw new ArgumentException(IDWebErrorMessage.ClientCredentialTenantShouldBeTenanted, nameof(tenant)); | ||
| } | ||
|
|
||
| if (!string.IsNullOrEmpty(_microsoftIdentityOptions.TenantId) && _metaTenantIdentifiers.Contains(_microsoftIdentityOptions.TenantId)) | ||
|
There was a problem hiding this comment. This isn't needed. We already are checking the tenant in the lines above (starting line 274), and the developer needs to specifically pass in the tenant in this method, so it doesn't matter what the tenant is with the options. They could even be different tenants, we just care about the one passed in. There was a problem hiding this comment. I am not 100% sure about that, since it either takes the provided tenant or uses the Authority (https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web/TokenAcquisition.cs#L703) passed from within the options passed to MSAL, that's why I added this part. The reason is to cover a scenario, where someone sets up the authority in settings as I am perfectly fine with removing it of course. Please let me know, what makes more sense. There was a problem hiding this comment. @hajekj I see. thanks for the explanation. I would propose something like this starting on line 274: if (string.IsNullOrEmpty(tenant))
{
tenant = _applicationOptions.TenantId ?? _microsoftIdentityOptions.TenantId;
}
if (!string.IsNullOrEmpty(tenant) && _metaTenantIdentifiers.Contains(tenant))
{
throw new ArgumentException(IDWebErrorMessage.ClientCredentialTenantShouldBeTenanted, nameof(tenant));
}then we'll always have a value for the tenant, or not, and it will be handled before we create the authority. and the authority will have the tenanted value. There was a problem hiding this comment. PS...i haven't tested it, just a thought. There was a problem hiding this comment. Looks good to me. I have added the change and tested locally with very limited scenario. Seems to work fine, but would be great to hook it up with some more tests, especially when the application is configured as multi-tenant with |
||
| { | ||
| throw new ArgumentException(IDWebErrorMessage.ClientCredentialTenantShouldBeTenanted, nameof(_microsoftIdentityOptions.TenantId)); | ||
| } | ||
|
|
||
| // Use MSAL to get the right token to call the API | ||
| _application = await GetOrBuildConfidentialClientApplicationAsync().ConfigureAwait(false); | ||
| string authority = CreateAuthorityBasedOnTenantIfProvided(_application, tenant); | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is the only fix that is needed. Can you add a test as well? or modify an existing test?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure! Will add it tomorrow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hajekj Actually, nevermind on the tests, you'll need access to our KeyVault to run the tests that would cover this. If you can take a look at the comment above, and then once we merge this, i will add the test(s). If you can test manually though and share the results (assuming it works), that would be helpful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a branch with some additional tests for the work you have here. will merge after we merge this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me!