Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Bug] AbstractAcquireTokenParameterBuilder<T>.WithTenantId() should be supported for CIAM authorities

See original GitHub issue

When doing an OBO, if no tenant is specified, it should be possible to set the tenant to the user tenant (from the tid claim). This will come as a GUID, whereas the authority, in the case of CIAM, is a domain name.

This is blocking Microsoft.Identity.Web OBO samples for CIAM,.

Logs and network traces

Microsoft.Identity.Client.dll!Microsoft.Identity.Client.AbstractAcquireTokenParameterBuilder<Microsoft.Identity.Client.AcquireTokenOnBehalfOfParameterBuilder>.WithTenantId(string tenantId) Line 272 C# Microsoft.Identity.Web.TokenAcquisition.dll!Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForWebApiToCallDownstreamApiAsync(Microsoft.Identity.Client.IConfidentialClientApplication application, string tenantId, System.Collections.Generic.IEnumerable<string> scopes, Microsoft.Identity.Web.TokenAcquisitionOptions tokenAcquisitionOptions, Microsoft.Identity.Web.MergedOptions mergedOptions) Line 727 C# Microsoft.Identity.Web.TokenAcquisition.dll!Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForUserAsync(System.Collections.Generic.IEnumerable<string> scopes, string authenticationScheme, string tenantId, string userFlow, System.Security.Claims.ClaimsPrincipal user, Microsoft.Identity.Web.TokenAcquisitionOptions tokenAcquisitionOptions) Line 243 C# Microsoft.Identity.Web.TokenAcquisition.dll!Microsoft.Identity.Web.TokenAcquisition.GetAccessTokenForUserAsync(System.Collections.Generic.IEnumerable<string> scopes, string authenticationScheme, string tenantId, string userFlow, System.Security.Claims.ClaimsPrincipal user, Microsoft.Identity.Web.TokenAcquisitionOptions tokenAcquisitionOptions) Line 500 C# Microsoft.Identity.Web.TokenAcquisition.dll!Microsoft.Identity.Web.ITokenAcquisition.GetAccessTokenForUserAsync(System.Collections.Generic.IEnumerable<string> scopes, string tenantId, string userFlow, System.Security.Claims.ClaimsPrincipal user, Microsoft.Identity.Web.TokenAcquisitionOptions tokenAcquisitionOptions) Line 42 C# TodoListService.dll!TodoListService.Controllers.TodoListController.GetAsync() Line 57 C#

Which version of MSAL.NET are you using? 4.54.1

What authentication flow has the issue? * [ x] On-Behalf-Of

Other? With a CIAM authority

Is this a new or existing app?

     ClaimsPrincipal? user = _tokenAcquisitionHost.GetUserFromRequest();
      var userTenant = string.Empty;
      if (user != null)
      {
          userTenant = user.GetTenantId();
          builder.WithCcsRoutingHint(user.GetObjectId(), userTenant);
      }
      if (!string.IsNullOrEmpty(tenantId))
      {
          builder.WithTenantId(tenantId);
      }
      else
      {
          if (!string.IsNullOrEmpty(userTenant))
          {
              builder.WithTenantId(userTenant);
          }
      }

Actual behavior Exception: Microsoft.Identity.Client.MsalClientException: 'WithTenantId can only be used when an AAD authority is specified at the application level.'

Expected behavior It should be possible to override the tenant with a CIAM authority. It’s not up to MSAL.NET to decide if the IdP will reject it or not (it won’t in that case)

Possible solution AuthorityInfo.IsTenantOverrideSupported shoud be set to true for CIAM authority

Additional context / logs / screenshots / links to code

Issue Analytics

  • State:closed
  • Created 3 months ago
  • Comments:6 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
bgavrilMScommented, Jul 12, 2023

Yes, we’ll let MSAL construct the authority in the way that the app developer wants it, without any constraints. And we rely on the CIAM STS to error out.

@jmprieur has been testing this out and might have found a bug in CIAM.

0reactions
rayluocommented, Jul 11, 2023

  1. But can the user really be in a different tenant? Are guests supported in CIAM?

  2. What are the rules of tenant id substitution? There are 3 types of authority supported as per @trwalke 's integration tests:

    • https://MSIDLABCIAM2.ciamlogin.com/

    • https://MSIDLABCIAM2.ciamlogin.com/MSIDLABCIAM2.onmicrosoft.com

    • https://MSIDLABCIAM2.ciamlogin.com/f7416cc8-8ea1-4e5c-b230-0c978f81dfc6

Do we want all 3 authorities to be switched to:

https://MSIDLABCIAM2.ciamlogin.com/012345-6789-ABCD-01234567890 ?

@bgavrilMS , what are the conclusions to the two questions above?

In particular, what is the authority to be used in question 2? Could we end up sending an contradicting https://CONTOSO.ciamlogin.com/guid-of-FABRICAM?

Read more comments on GitHub >

github_iconTop Results From Across the Web

No results found

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[Bug] Large numbers of concurrent token refresh attempts cause a cache refresh convoy resulting in chronic 429 errors

Next page

[Feature Request] WWWAuthenticate Resource property obsolete with warning instead of error