From 8b61888d227fe14b3fd8bae82c421116b2a8ce3c Mon Sep 17 00:00:00 2001
From: Jan Hajek <hajek.j@hotmail.com>
Date: Tue, 1 Dec 2020 11:02:38 +0100
Subject: [PATCH] Add Common tenant to meta tenant identifiers and check for
 TenantId not to match when obtaining token via client_credentials flow.

Fixes #793
---
 src/Microsoft.Identity.Web/TokenAcquisition.cs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/Microsoft.Identity.Web/TokenAcquisition.cs b/src/Microsoft.Identity.Web/TokenAcquisition.cs
index b01513cbe..cf3eea5ce 100644
--- a/src/Microsoft.Identity.Web/TokenAcquisition.cs
+++ b/src/Microsoft.Identity.Web/TokenAcquisition.cs
@@ -86,6 +86,7 @@ public TokenAcquisition(
         private readonly ISet<string> _metaTenantIdentifiers = new HashSet<string>(
             new[]
             {
+                Constants.Common,
                 Constants.Organizations,
                 Constants.Consumers,
             },
@@ -276,6 +277,11 @@ public async Task<string> GetAccessTokenForAppAsync(
                 throw new ArgumentException(IDWebErrorMessage.ClientCredentialTenantShouldBeTenanted, nameof(tenant));
             }
 
+            if (!string.IsNullOrEmpty(_microsoftIdentityOptions.TenantId) && _metaTenantIdentifiers.Contains(_microsoftIdentityOptions.TenantId))
+            {
+                throw new ArgumentException(IDWebErrorMessage.ClientCredentialTenantShouldBeTenanted, nameof(_microsoftIdentityOptions.TenantId));
+            }
+
             // Use MSAL to get the right token to call the API
             _application = await GetOrBuildConfidentialClientApplicationAsync().ConfigureAwait(false);
             string authority = CreateAuthorityBasedOnTenantIfProvided(_application, tenant);