-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] AbstractAcquireTokenParameterBuilder<T>.WithTenantId() should be supported for CIAM authorities #4191
[Bug] AbstractAcquireTokenParameterBuilder<T>.WithTenantId() should be supported for CIAM authorities #4191
Comments
@bgavrilMS : FYI |
Do we want all 3 authorities to be switched to:
Later edit: yes. Trust that the STS will do the right thing. |
The problem is when we define the authority, we define it with the domain name, but then when we redeem the code or do an OBO we have the tenantId. We have no way of knowing that the tenant ID maps to the domain name. |
Yes, for AAD this makes sense and we had several bugs on this - this is why I suggested the fix in MSAL. But for CIAM does changing the tenant make sense or should it be a NO-OP? |
@bgavrilMS , what are the conclusions to the two questions above? In particular, what is the authority to be used in question 2? Could we end up sending an contradicting |
Yes, we'll let MSAL construct the authority in the way that the app developer wants it, without any constraints. And we rely on the CIAM STS to error out. @jmprieur has been testing this out and might have found a bug in CIAM. |
When doing an OBO, if no tenant is specified, it should be possible to set the tenant to the user tenant (from the tid claim). This will come as a GUID, whereas the authority, in the case of CIAM, is a domain name.
This is blocking Microsoft.Identity.Web OBO samples for CIAM,.
Logs and network traces
Which version of MSAL.NET are you using?
4.54.1
What authentication flow has the issue?
* [ x] On-Behalf-Of
Other?
With a CIAM authority
Is this a new or existing app?
Actual behavior
Exception:
Microsoft.Identity.Client.MsalClientException: 'WithTenantId can only be used when an AAD authority is specified at the application level.'
Expected behavior
It should be possible to override the tenant with a CIAM authority.
It's not up to MSAL.NET to decide if the IdP will reject it or not (it won't in that case)
Possible solution
AuthorityInfo.IsTenantOverrideSupported
shoud be set to true for CIAM authorityAdditional context / logs / screenshots / links to code
The text was updated successfully, but these errors were encountered: