For Mtls, do not check for Aad and Dsts Authority type and 'organizations' or 'common' tenant (#5174)

This PR removes from AcquireTokenForClientParameterBuilder.Validate checks for 'common' for Aad and Dsts Authority Types.

See conversation in this PR.

Author: ksaaf

src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs

@@ -4,7 +4,6 @@
 using System;
 using System.Collections.Generic;
 using System.ComponentModel;
-using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Identity.Client.ApiConfig.Executors;
@@ -170,23 +169,6 @@ protected override void Validate()
         {
             if (CommonParameters.MtlsCertificate != null)
             {
-                string authorityUri = ServiceBundle.Config.Authority.AuthorityInfo.CanonicalAuthority.AbsoluteUri;
-
-                if (ServiceBundle.Config.Authority.AuthorityInfo.AuthorityType != AuthorityType.Aad && 
-                    ServiceBundle.Config.Authority.AuthorityInfo.AuthorityType != AuthorityType.Dsts)
-                {
-                    throw new MsalClientException(
-                        MsalError.InvalidAuthorityType,
-                        MsalErrorMessage.MtlsInvalidAuthorityTypeMessage);
-                }
-
-                if (authorityUri.Contains("/common", StringComparison.OrdinalIgnoreCase))
-                {
-                    throw new MsalClientException(
-                        MsalError.MissingTenantedAuthority,
-                        MsalErrorMessage.MtlsNonTenantedAuthorityNotAllowedMessage);
-                }
-
                 // Check for Azure region only if the authority is AAD
                 // AzureRegion is by default set to null or set to null when the application is created
                 // with region set to DisableForceRegion (see ConfidentialClientApplicationBuilder.Validate)

src/client/Microsoft.Identity.Client/AppConfig/AuthorityInfo.cs

@@ -2,10 +2,8 @@
 // Licensed under the MIT License.
 
 using System;
-using System.Globalization;
 using System.Linq;
 using System.Threading.Tasks;
-using Microsoft.Identity.Client.AppConfig;
 using Microsoft.Identity.Client.Instance;
 using Microsoft.Identity.Client.Instance.Validation;
 using Microsoft.Identity.Client.Internal;
@@ -65,7 +63,7 @@ public AuthorityInfo(
                     CanonicalAuthority = new Uri($"https://{authorityUri.Authority}/{pathSegments[0]}/{pathSegments[1]}/");
 
                     UserRealmUriPrefix = UriBuilderExtensions.GetHttpsUriWithOptionalPort(
-                        $"https://{authorityUri.Authority}/{pathSegments[0]}/common/userrealm/",
+                        $"https://{authorityUri.Authority}/{pathSegments[0]}/{Constants.Common}/userrealm/",
                         authorityUri.Port);
                     break;
                 default:
@@ -75,7 +73,7 @@ public AuthorityInfo(
                             authorityUri.Port));
 
                     UserRealmUriPrefix = UriBuilderExtensions.GetHttpsUriWithOptionalPort(
-                        $"https://{Host}/common/userrealm/",
+                        $"https://{Host}/{Constants.Common}/userrealm/",
                         authorityUri.Port);
                     break;
             }
@@ -273,11 +271,11 @@ internal static string GetAadAuthorityAudienceValue(AadAuthorityAudience authori
             switch (authorityAudience)
             {
                 case AadAuthorityAudience.AzureAdAndPersonalMicrosoftAccount:
-                    return "common";
+                    return Constants.Common;
                 case AadAuthorityAudience.AzureAdMultipleOrgs:
-                    return "organizations";
+                    return Constants.Organizations;
                 case AadAuthorityAudience.PersonalMicrosoftAccount:
-                    return "consumers";
+                    return Constants.Consumers;
                 case AadAuthorityAudience.AzureAdMyOrg:
                     if (string.IsNullOrWhiteSpace(tenantId))
                     {
@@ -451,7 +449,7 @@ private static bool IsCiamAuthority(Uri authorityUri)
 
         private static string[] GetPathSegments(string absolutePath)
         {
-            string[] pathSegments = absolutePath.Substring(1).Split(
+            string[] pathSegments = absolutePath.Split(
                 new[]
                 {
                     '/'

src/client/Microsoft.Identity.Client/Instance/AadAuthority.cs

@@ -21,9 +21,9 @@ internal class AadAuthority : Authority
         private static readonly ISet<string> s_tenantlessTenantNames = new HashSet<string>(
           new[]
           {
-                Constants.CommonTenant,
-                Constants.OrganizationsTenant,
-                Constants.ConsumerTenant
+                Constants.Common,
+                Constants.Organizations,
+                Constants.Consumers,
           },
           StringComparer.OrdinalIgnoreCase);
 
@@ -36,7 +36,7 @@ internal AadAuthority(AuthorityInfo authorityInfo) : base(authorityInfo)
 
         internal bool IsWorkAndSchoolOnly()
         {
-            return !TenantId.Equals(Constants.CommonTenant, StringComparison.OrdinalIgnoreCase) &&
+            return !TenantId.Equals(Constants.Common, StringComparison.OrdinalIgnoreCase) &&
                    !IsConsumers(TenantId);
         }
 
@@ -47,7 +47,7 @@ internal bool IsConsumers()
 
         internal static bool IsConsumers(string tenantId)
         {
-            return tenantId.Equals(Constants.ConsumerTenant, StringComparison.OrdinalIgnoreCase) ||
+            return tenantId.Equals(Constants.Consumers, StringComparison.OrdinalIgnoreCase) ||
                    tenantId.Equals(Constants.MsaTenantId, StringComparison.OrdinalIgnoreCase);
         }
 
@@ -64,7 +64,7 @@ internal static bool IsCommonOrganizationsOrConsumersTenant(string tenantId)
 
         internal bool IsOrganizationsTenantWithMsaPassthroughEnabled(bool isMsaPassthrough, string accountTenantId)
         {
-            return accountTenantId!= null && isMsaPassthrough && TenantId.Equals(Constants.OrganizationsTenant, StringComparison.OrdinalIgnoreCase) &&
+            return accountTenantId!= null && isMsaPassthrough && TenantId.Equals(Constants.Organizations, StringComparison.OrdinalIgnoreCase) &&
                 IsConsumers(accountTenantId);
         }
 

src/client/Microsoft.Identity.Client/Internal/Constants.cs

@@ -2,7 +2,6 @@
 // Licensed under the MIT License.
 
 using System;
-using System.Globalization;
 
 namespace Microsoft.Identity.Client.Internal
 {
@@ -21,9 +20,9 @@ internal static class Constants
         public const string DefaultRealm = "http://schemas.microsoft.com/rel/trusted-realm";
 
         public const string MsaTenantId = "9188040d-6c67-4c5b-b112-36a304b66dad";
-        public const string ConsumerTenant = "consumers";
-        public const string OrganizationsTenant = "organizations";
-        public const string CommonTenant = "common";
+        public const string Consumers = "consumers";
+        public const string Organizations = "organizations";
+        public const string Common = "common";
 
         public const string UserRealmMsaDomainName = "live.com";
 

tests/Microsoft.Identity.Test.Common/TestConstants.cs

@@ -7,6 +7,7 @@
 using System.Text.RegularExpressions;
 using Microsoft.Identity.Client;
 using Microsoft.Identity.Client.Cache;
+using Microsoft.Identity.Client.Internal;
 using Microsoft.Identity.Client.OAuth2;
 using Microsoft.Identity.Client.Utils;
 using Microsoft.Identity.Test.Common.Core.Mocks;
@@ -44,9 +45,9 @@ public static HashSet<string> s_scope
         public const string Utid = "my-utid";
         public const string Utid2 = "my-utid2";
 
-        public const string Common = "common";
-        public const string Organizations = "organizations";
-        public const string Consumers = "consumers";
+        public const string Common = Constants.Common;
+        public const string Organizations = Constants.Organizations;
+        public const string Consumers = Constants.Consumers;
         public const string Guest = "guest";
         public const string Home = "home";
         public const string TenantId = "751a212b-4003-416e-b600-e1f48e40db9f";
@@ -112,6 +113,8 @@ public static HashSet<string> s_scope
         public const string DstsAuthorityTenantless = "https://some.url.dsts.core.azure-test.net/dstsv2/";
         public const string DstsAuthorityTenanted = DstsAuthorityTenantless + TenantId + "/";
         public const string DstsAuthorityCommon = DstsAuthorityTenantless + Common + "/";
+        public const string DstsAuthorityOrganizations = DstsAuthorityTenantless + Organizations + "/";
+        public const string DstsAuthorityConsumers = DstsAuthorityTenantless + Consumers + "/";
 
         public const string GenericAuthority = "https://demo.duendesoftware.com";
 

tests/Microsoft.Identity.Test.Unit/ApiConfigTests/AuthorityTests.cs

@@ -2,7 +2,8 @@
 // Licensed under the MIT License.
 
 using System;
-using System.Reflection.Emit;
+using System.Collections.Generic;
+using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.Identity.Client;
 using Microsoft.Identity.Client.Instance;

tests/Microsoft.Identity.Test.Unit/PublicApiTests/ConfidentialClientApplicationTests.cs

@@ -1041,14 +1041,14 @@ public void GetAuthorizationRequestUrl_WithConsumerInCreate_ReturnsConsumers()
 #pragma warning disable CS0618 // Type or member is obsolete
                 Uri authorizationRequestUrl = confidentialClientApplication
                     .GetAuthorizationRequestUrl(new List<string> { "" })
-                    .WithAuthority(AzureCloudInstance.AzurePublic, Constants.ConsumerTenant)
+                    .WithAuthority(AzureCloudInstance.AzurePublic, Constants.Consumers)
                     .ExecuteAsync()
                     .ConfigureAwait(false)
                     .GetAwaiter()
                     .GetResult();
 #pragma warning restore CS0618 // Type or member is obsolete
 
-                Assert.IsTrue(authorizationRequestUrl.Segments[1].StartsWith(Constants.CommonTenant));
+                Assert.IsTrue(authorizationRequestUrl.Segments[1].StartsWith(Constants.Common));
             }
         }
 

tests/Microsoft.Identity.Test.Unit/PublicApiTests/MtlsPopTests.cs

@@ -171,7 +171,7 @@ public async Task MtlsPop_WithoutRegion_ThrowsException(bool setAzureRegion)
         }
 
         [TestMethod]
-        public async Task MtlsPopWithoutTenantIdAsync()
+        public async Task MtlsPop_WithUnsupportedNonTenantedAuthorityAsync_ThrowsException()
         {
             IConfidentialClientApplication app = ConfidentialClientApplicationBuilder
                             .Create(TestConstants.ClientId)
@@ -186,7 +186,8 @@ public async Task MtlsPopWithoutTenantIdAsync()
                    .ExecuteAsync())
                 .ConfigureAwait(false);
 
-            Assert.AreEqual(MsalError.MissingTenantedAuthority, ex.ErrorCode);
+            Assert.AreEqual(MsalError.MtlsPopWithoutRegion, ex.ErrorCode);
+            Assert.AreEqual(MsalErrorMessage.MtlsPopWithoutRegion, ex.Message);
         }
 
         [TestMethod]
@@ -449,9 +450,9 @@ await app.AcquireTokenForClient(TestConstants.s_scope)
 
         [TestMethod]
         [DataTestMethod]
-        [DataRow("https://contoso.b2clogin.com/tfp/contoso.onmicrosoft.com/B2C_1_signupsignin", "B2C Authority")]
-        [DataRow("https://contoso.adfs.contoso.com/adfs", "ADFS Authority")]
-        public async Task MtlsPop_NonAadAuthorityAsync(string authorityUrl, string authorityType)
+        [DataRow("https://contoso.b2clogin.com/tfp/contoso.onmicrosoft.com/B2C_1_signupsignin", "B2C Authority", typeof(MsalServiceException))]
+        [DataRow("https://contoso.adfs.contoso.com/adfs", "ADFS Authority", typeof(HttpRequestException))]
+        public async Task MtlsPop_NonAadAuthorityAsync(string authorityUrl, string authorityType, Type expectedException)
         {
             IConfidentialClientApplication app = ConfidentialClientApplicationBuilder
                             .Create(TestConstants.ClientId)
@@ -461,21 +462,28 @@ public async Task MtlsPop_NonAadAuthorityAsync(string authorityUrl, string autho
                             .Build();
 
             // Set WithMtlsProofOfPossession on the request with a non-AAD authority
-            MsalClientException ex = await AssertException.TaskThrowsAsync<MsalClientException>(() =>
-                app.AcquireTokenForClient(TestConstants.s_scope)
-                   .WithMtlsProofOfPossession() // Enables MTLS PoP
-                   .ExecuteAsync())
-                .ConfigureAwait(false);
-
-            Assert.AreEqual(MsalError.InvalidAuthorityType, ex.ErrorCode);
-            Assert.AreEqual(MsalErrorMessage.MtlsInvalidAuthorityTypeMessage, ex.Message, $"{authorityType} test failed.");
+            try
+            {
+                await app
+                    .AcquireTokenForClient(TestConstants.s_scope)
+                    .WithMtlsProofOfPossession() // Enables MTLS PoP
+                    .ExecuteAsync()
+                    .ConfigureAwait(false);
+            }
+            catch (Exception ex)
+            {
+                Assert.AreEqual(expectedException, ex.GetType());
+            }
         }
 
         [DataTestMethod]
-        [DataRow("https://login.microsoftonline.com", "Public Cloud")]
-        [DataRow("https://login.microsoftonline.us", "Azure Government")]
-        [DataRow("https://login.partner.microsoftonline.cn", "Azure China")]
-        public async Task MtlsPop_WithCommonAsync(string authorityUrl, string cloudType)
+        [DataRow("https://login.microsoftonline.com", TestConstants.Common, "Public Cloud")]
+        [DataRow("https://login.microsoftonline.com", TestConstants.Organizations, "Public Cloud")]
+        [DataRow("https://login.microsoftonline.us", TestConstants.Common, "Azure Government")]
+        [DataRow("https://login.microsoftonline.us", TestConstants.Organizations, "Azure Government")]
+        [DataRow("https://login.partner.microsoftonline.cn", TestConstants.Common, "Azure China")]
+        [DataRow("https://login.partner.microsoftonline.cn", TestConstants.Organizations, "Azure China")]
+        public async Task MtlsPop_WithUnsupportedNonTenantedAuthorityAsync_ThrowsException(string authorityUrl, string nonTenantValue, string cloudType)
         {
             const string region = "eastus";
 
@@ -487,13 +495,13 @@ public async Task MtlsPop_WithCommonAsync(string authorityUrl, string cloudType)
                 {
                     var app = ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
                         .WithCertificate(s_testCertificate)
-                        .WithAuthority($"{authorityUrl}/common")
+                        .WithAuthority($"{authorityUrl}/{nonTenantValue}")
                         .WithAzureRegion(ConfidentialClientApplication.AttemptRegionDiscovery)
                         .WithExperimentalFeatures()
                         .WithHttpManager(httpManager)
                         .BuildConcrete();
 
-                    // Expect an exception due to using /common with MTLS PoP
+                    // Expect an exception due to using /common or /organizations with MTLS PoP
                     MsalClientException ex = await Assert.ThrowsExceptionAsync<MsalClientException>(async () =>
                         await app.AcquireTokenForClient(TestConstants.s_scope)
                             .WithMtlsProofOfPossession()
@@ -733,24 +741,24 @@ public async Task AcquireTokenForClient_WithMtlsPop_Dsts_SuccessAsync()
             }
         }
 
-        [TestMethod]
-        public async Task MtlsPopDstsCommonAuthorityFailsAsync()
+        [DataTestMethod]
+        [DataRow(TestConstants.DstsAuthorityCommon)]
+        [DataRow(TestConstants.DstsAuthorityOrganizations)]
+        public async Task MtlsPop_WithUnsupportedNonTenantedAuthorityAsyncForDsts_ThrowsException(string authorityUrl)
         {
             IConfidentialClientApplication app = ConfidentialClientApplicationBuilder
                             .Create(TestConstants.ClientId)
-                            .WithAuthority(TestConstants.DstsAuthorityCommon)
+                            .WithAuthority(authorityUrl)
                             .WithCertificate(s_testCertificate)
                             .WithExperimentalFeatures()
                             .Build();
 
-            // Set WithMtlsProofOfPossession on the request without specifying an authority
-            MsalClientException ex = await AssertException.TaskThrowsAsync<MsalClientException>(() =>
+            // Set WithMtlsProofOfPossession on the request specifying an authority
+            HttpRequestException ex = await AssertException.TaskThrowsAsync<HttpRequestException>(() =>
                 app.AcquireTokenForClient(TestConstants.s_scope)
                    .WithMtlsProofOfPossession()
                    .ExecuteAsync())
                 .ConfigureAwait(false);
-
-            Assert.AreEqual(MsalError.MissingTenantedAuthority, ex.ErrorCode);
         }
     }
 }