[Bug] AbstractAcquireTokenParameterBuilder<T>.WithTenantId() should be supported for CIAM authorities
See original GitHub issueWhen doing an OBO, if no tenant is specified, it should be possible to set the tenant to the user tenant (from the tid claim). This will come as a GUID, whereas the authority, in the case of CIAM, is a domain name.
This is blocking Microsoft.Identity.Web OBO samples for CIAM,.
Logs and network traces
Microsoft.Identity.Client.dll!Microsoft.Identity.Client.AbstractAcquireTokenParameterBuilder<Microsoft.Identity.Client.AcquireTokenOnBehalfOfParameterBuilder>.WithTenantId(string tenantId) Line 272 C# Microsoft.Identity.Web.TokenAcquisition.dll!Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForWebApiToCallDownstreamApiAsync(Microsoft.Identity.Client.IConfidentialClientApplication application, string tenantId, System.Collections.Generic.IEnumerable<string> scopes, Microsoft.Identity.Web.TokenAcquisitionOptions tokenAcquisitionOptions, Microsoft.Identity.Web.MergedOptions mergedOptions) Line 727 C# Microsoft.Identity.Web.TokenAcquisition.dll!Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForUserAsync(System.Collections.Generic.IEnumerable<string> scopes, string authenticationScheme, string tenantId, string userFlow, System.Security.Claims.ClaimsPrincipal user, Microsoft.Identity.Web.TokenAcquisitionOptions tokenAcquisitionOptions) Line 243 C# Microsoft.Identity.Web.TokenAcquisition.dll!Microsoft.Identity.Web.TokenAcquisition.GetAccessTokenForUserAsync(System.Collections.Generic.IEnumerable<string> scopes, string authenticationScheme, string tenantId, string userFlow, System.Security.Claims.ClaimsPrincipal user, Microsoft.Identity.Web.TokenAcquisitionOptions tokenAcquisitionOptions) Line 500 C# Microsoft.Identity.Web.TokenAcquisition.dll!Microsoft.Identity.Web.ITokenAcquisition.GetAccessTokenForUserAsync(System.Collections.Generic.IEnumerable<string> scopes, string tenantId, string userFlow, System.Security.Claims.ClaimsPrincipal user, Microsoft.Identity.Web.TokenAcquisitionOptions tokenAcquisitionOptions) Line 42 C# TodoListService.dll!TodoListService.Controllers.TodoListController.GetAsync() Line 57 C#
Which version of MSAL.NET are you using? 4.54.1
What authentication flow has the issue? * [ x] On-Behalf-Of
Other? With a CIAM authority
Is this a new or existing app?
ClaimsPrincipal? user = _tokenAcquisitionHost.GetUserFromRequest();
var userTenant = string.Empty;
if (user != null)
{
userTenant = user.GetTenantId();
builder.WithCcsRoutingHint(user.GetObjectId(), userTenant);
}
if (!string.IsNullOrEmpty(tenantId))
{
builder.WithTenantId(tenantId);
}
else
{
if (!string.IsNullOrEmpty(userTenant))
{
builder.WithTenantId(userTenant);
}
}
Actual behavior
Exception:
Microsoft.Identity.Client.MsalClientException: 'WithTenantId can only be used when an AAD authority is specified at the application level.'
Expected behavior It should be possible to override the tenant with a CIAM authority. It’s not up to MSAL.NET to decide if the IdP will reject it or not (it won’t in that case)
Possible solution
AuthorityInfo.IsTenantOverrideSupported
shoud be set to true for CIAM authority
Additional context / logs / screenshots / links to code
Issue Analytics
- State:
- Created 3 months ago
- Comments:6 (6 by maintainers)
Top GitHub Comments
Yes, we’ll let MSAL construct the authority in the way that the app developer wants it, without any constraints. And we rely on the CIAM STS to error out.
@jmprieur has been testing this out and might have found a bug in CIAM.
@bgavrilMS , what are the conclusions to the two questions above?
In particular, what is the authority to be used in question 2? Could we end up sending an contradicting
https://CONTOSO.ciamlogin.com/guid-of-FABRICAM
?