AzureAD · Avery-Dunn · Jul 10, 2025 · Jun 6, 2025 · Jun 8, 2025 · Jun 11, 2025
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AbstractClientApplicationBase.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AbstractClientApplicationBase.java
@@ -579,6 +579,10 @@ public T correlationId(String val) {
             ((OidcAuthority) authenticationAuthority).setAuthorityProperties(
                     OidcDiscoveryProvider.performOidcDiscovery(
                             (OidcAuthority) authenticationAuthority, this));
+
+            if (!((OidcAuthority) authenticationAuthority).isIssuerValid()) {
+                throw new MsalClientException(String.format("Invalid issuer from OIDC discovery: %s", ((OidcAuthority) authenticationAuthority).issuerFromOidcDiscovery), "issuer_validation");
+            }
         }
     }
 }
@@ -10,6 +10,9 @@ public class OidcAuthority extends Authority {
     //Part of the OpenIdConnect standard, this is appended to the authority to create the endpoint that has OIDC metadata
     static final String WELL_KNOWN_OPENID_CONFIGURATION = ".well-known/openid-configuration";
     private static final String AUTHORITY_FORMAT = "https://%s/%s/";
+    private static final String CIAM_AUTHORITY_FORMAT = "https://%s.ciamlogin.com/%s";
+
+    String issuerFromOidcDiscovery;
 
     OidcAuthority(URL authorityUrl) throws MalformedURLException {
         super(createOidcDiscoveryUrl(authorityUrl), AuthorityType.OIDC);
@@ -29,5 +32,42 @@ void setAuthorityProperties(OidcDiscoveryResponse instanceDiscoveryResponse) {
         this.tokenEndpoint = instanceDiscoveryResponse.tokenEndpoint();
         this.deviceCodeEndpoint = instanceDiscoveryResponse.deviceCodeEndpoint();
         this.selfSignedJwtAudience = this.tokenEndpoint;
+        this.issuerFromOidcDiscovery = instanceDiscoveryResponse.issuer();
+    }
+
+    /**
+     * Validates the issuer from OIDC discovery.
+     * Issuer is valid if it matches the authority URL (without the well-known segment)
+     * or if it follows the CIAM issuer format.
+     *
+     * @return true if the issuer is valid, false otherwise
+     */
+    boolean isIssuerValid() {
+        if (issuerFromOidcDiscovery == null) {
+            return false;
+        }
+
+        // Case 1: Check against canonicalAuthorityUrl without the well-known segment
+        String authorityWithoutWellKnown = canonicalAuthorityUrl.toString();
+        if (authorityWithoutWellKnown.endsWith(WELL_KNOWN_OPENID_CONFIGURATION)) {
+            authorityWithoutWellKnown = authorityWithoutWellKnown.substring(0,
+                    authorityWithoutWellKnown.length() - WELL_KNOWN_OPENID_CONFIGURATION.length());
+
+            // Normalize both URLs to ensure consistent comparison
+            String normalizedAuthority = Authority.enforceTrailingSlash(authorityWithoutWellKnown);
+            String normalizedIssuer = Authority.enforceTrailingSlash(issuerFromOidcDiscovery);
+
+            if (normalizedIssuer.equals(normalizedAuthority)) {
+                return true;
+            }
+        }
+
+        // Case 2: Check CIAM format: "https://{tenant}.ciamlogin.com/{tenant}"
+        if (!StringHelper.isNullOrBlank(tenant)) {
+            String ciamPattern = String.format(CIAM_AUTHORITY_FORMAT, tenant, tenant);
+            return issuerFromOidcDiscovery.startsWith(ciamPattern);
+        }
+
+        return false;
     }
 }
@@ -15,6 +15,7 @@ class OidcDiscoveryResponse implements JsonSerializable<OidcDiscoveryResponse> {
     private String authorizationEndpoint;
     private String tokenEndpoint;
     private String deviceCodeEndpoint;
+    private String issuer;
 
     public static OidcDiscoveryResponse fromJson(JsonReader jsonReader) throws IOException {
         OidcDiscoveryResponse response = new OidcDiscoveryResponse();
@@ -32,6 +33,9 @@ public static OidcDiscoveryResponse fromJson(JsonReader jsonReader) throws IOExc
                     case "device_authorization_endpoint":
                         response.deviceCodeEndpoint = reader.getString();
                         break;
+                    case "issuer":
+                        response.issuer = reader.getString();
+                        break;
                     default:
                         reader.skipChildren();
                         break;
@@ -61,4 +65,8 @@ String tokenEndpoint() {
     String deviceCodeEndpoint() {
         return this.deviceCodeEndpoint;
     }
+
+    String issuer() {
+        return this.issuer;
+    }
 }
@@ -124,4 +124,9 @@ static void setHttpClient(IHttpClient client) {
         httpClient = client;
         httpHelper = new HttpHelper(httpClient, new ManagedIdentityRetryPolicy());
     }
+
+    static void resetHttpClient() {
+        httpClient = new DefaultHttpClientManagedIdentity(null, null, null, null);
+        httpHelper = new HttpHelper(httpClient, new ManagedIdentityRetryPolicy());
+    }
 }
@@ -52,6 +52,11 @@ static void resetRetryPolicies() {
         IMDSRetryPolicy.resetToDefaults();
     }
 
+    @AfterAll
+    static void resetServiceFabricHttpClient() {
+        ServiceFabricManagedIdentitySource.resetHttpClient();
+    }
+
     private String getSuccessfulResponse(String resource) {
         long expiresOn = (System.currentTimeMillis() / 1000) + (24 * 3600);//A long-lived, 24 hour token
         return "{\"access_token\":\"accesstoken\",\"expires_on\":\"" + expiresOn + "\",\"resource\":\"" + resource + "\",\"token_type\":" +