[Bug] Token acquisition from different tenant not working
See original GitHub issueWhich version of Microsoft Identity Web are you using? Commit ID 8a043b704a4ad89faaa635451ee7fc6d85979bf9 , but the same problem experienced also with -master dated 2020-07-21.
Where is the issue?
- Web API
- Protected web APIs call downstream web APIs
Is this a new or an existing app? The app is in production and I have upgraded to a new version of Microsoft Identity Web.
Repro
var tokenAcquisition = httpContext.RequestServices.GetRequiredService<Microsoft.Identity.Web.ITokenAcquisition>();
var tid = httpContext.User.FindFirst("tid").Value;
return tokenAcquisition.GetAccessTokenForUserAsync(new string[] { scope }, tid);
Expected behavior Token issued by tenant B.
Actual behavior When user in tenant A is a guest user in tenant B (identified by “tid”), this call returns a token issued by tenant A instead of token issued by tenant B (“tid”).
Possible solution Please see the attached patch. This is the same bug I previously reported for an older version.
Issue Analytics
- State:
- Created 3 years ago
- Comments:6
Top Results From Across the Web
WARNING: Unable to acquire token for tenant - ...
When i am trying to connect to my azure portal through powershell iam getting the error: WARNING: Unable to acquire token for tenant....
Read more >c# - Azure AD auth - calling web api (multi-tenant) with ...
I have "accessTokenAcceptedVersion": 2 , in the manifest of my App registration. Make sure the tenant with user is going to login is...
Read more >Troubleshooting - Azure AD Workload Identity
If you encounter the error above, it means that the issuer of the service account token does not match the issuer you defined...
Read more >Use multiple Azure AD access tokens in an ASP.NET Core API
This article shows how to setup an ASP.NET Core application to authorize multiple access tokens from different Azure AD App registrations.
Read more >Azure AD authentication bug let attackers take over
Microsoft said it "has identified several multi-tenant applications with users that use an email address with an unverified domain owner.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
This issue is fixed in microsoft identity web, but there is an additional fix needed in msal .net, so moving this to blocked for now. That work will be in progress soon.
Included in 0.2.2-preview release