/// <summary>
/// Adds a known Azure AD authority to the application to sign-in users from a single
/// organization (single tenant application) described by its cloud instance and its domain
/// name or tenant ID. See https://aka.ms/msal-net-application-configuration.
/// </summary>
/// <param name="azureCloudInstance">Instance of Azure Cloud (for instance Azure
/// worldwide cloud, Azure German Cloud, US government ...)</param>
/// <param name="tenant">Domain name associated with the Azure AD tenant from which
/// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
/// to sign-in users. This can also be a guid</param>
/// <returns>The builder to chain the .With methods</returns>
public T WithAuthority(
AzureCloudInstance azureCloudInstance,
string tenant,
bool validateAuthority = true)
{
Config.AuthorityInfo = AuthorityInfo.FromAadAuthority(azureCloudInstance, tenant, validateAuthority);
return((T)this);
}
/// <summary>
/// Adds a known Azure AD authority to the application to sign-in users from a single
/// organization (single tenant application) described by its domain name. See https://aka.ms/msal-net-application-configuration.
/// </summary>
/// <param name="cloudInstanceUri">Uri to the Azure Cloud instance (for instance
/// <c>https://login.microsoftonline.com)</c></param>
/// <param name="tenant">domain name associated with the tenant from which to sign-in users</param>
/// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
/// <remarks>
/// <paramref name="tenant"/> can also contain the string representation of a GUID (tenantId),
/// or even <c>common</c>, <c>organizations</c> or <c>consumers</c> but in this case
/// it's recommended to use another override (<see cref="WithAuthority(AzureCloudInstance, Guid, bool)"/>
/// and <see cref="WithAuthority(AzureCloudInstance, AadAuthorityAudience, bool)"/>
/// </remarks>
/// <returns>The builder to chain the .With methods</returns>
public T WithAuthority(
string cloudInstanceUri,
string tenant,
bool validateAuthority = true)
{
Config.AuthorityInfo = AuthorityInfo.FromAadAuthority(new Uri(cloudInstanceUri), tenant, validateAuthority);
return((T)this);
}
/// <summary>
/// Adds a known Azure AD authority to the application to sign-in users from a single
/// organization (single tenant application) described by its cloud instance and its domain
/// name or tenant ID. See https://aka.ms/msal-net-application-configuration.
/// </summary>
/// <param name="azureCloudInstance">Instance of Azure Cloud (for instance Azure
/// worldwide cloud, Azure German Cloud, US government ...).</param>
/// <param name="tenant">Tenant Id of the tenant from which to sign-in users. This can also be a GUID.</param>
/// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
/// <returns>The builder to chain the .With methods.</returns>
public T WithAuthority(
AzureCloudInstance azureCloudInstance,
string tenant,
bool validateAuthority = true)
{
CommonParameters.AuthorityOverride = AuthorityInfo.FromAadAuthority(azureCloudInstance, tenant, validateAuthority);
return((T)this);
}
internal static Authority CreateAuthorityWithEnvironment(AuthorityInfo authorityInfo, string environment)
{
var uriBuilder = new UriBuilder(authorityInfo.CanonicalAuthority)
{
Host = environment
};
return(Authority.CreateAuthority(uriBuilder.Uri.AbsoluteUri, authorityInfo.ValidateAuthority));
}
public AuthorityInfo(AuthorityInfo other) :
this(
other.Host,
other.CanonicalAuthority,
other.AuthorityType,
other.UserRealmUriPrefix,
other.ValidateAuthority)
{
}
/// <summary>
/// Specific authority for which the token is requested. Passing a different value than configured
/// at the application constructor narrows down the selection to a specific tenant.
/// This does not change the configured value in the application. This is specific
/// to applications managing several accounts (like a mail client with several mailboxes).
/// See https://aka.ms/msal-net-application-configuration.
/// </summary>
/// <param name="authorityUri">Uri for the authority. In the case when the authority URI is
/// a known Azure AD URI, this setting needs to be consistent with what is declared in
/// the application registration portal.</param>
/// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
/// <returns>The builder to chain the .With methods.</returns>
public T WithAuthority(string authorityUri, bool validateAuthority = true)
{
if (string.IsNullOrWhiteSpace(authorityUri))
{
throw new ArgumentNullException(nameof(authorityUri));
}
CommonParameters.AuthorityOverride = AuthorityInfo.FromAuthorityUri(authorityUri, validateAuthority);
return((T)this);
}
public AuthorityInfo(AuthorityInfo other) :
this(
other.Host,
other.CanonicalAuthority,
other.AuthorityType,
other.UserRealmUriPrefix,
other.ValidateAuthority,
other.AutoDetectRegion,
other.RegionToUse)
{
}
/// <summary>
/// Adds a known Azure AD authority to the application to sign-in users specifying
/// the full authority Uri. See https://aka.ms/msal-net-application-configuration.
/// </summary>
/// <param name="authorityUri">URL of the security token service (STS) from which MSAL.NET will acquire the tokens.
/// Usual authorities endpoints for the Azure public Cloud are:
/// <list type="bullet">
/// <item><description><c>https://login.microsoftonline.com/tenant/</c> where <c>tenant</c> is the tenant ID of the Azure AD tenant
/// or a domain associated with this Azure AD tenant, in order to sign-in users of a specific organization only</description></item>
/// <item><description><c>https://login.microsoftonline.com/common/</c> to sign-in users with any work and school accounts or Microsoft personal account</description></item>
/// <item><description><c>https://login.microsoftonline.com/organizations/</c> to sign-in users with any work and school accounts</description></item>
/// <item><description><c>https://login.microsoftonline.com/consumers/</c> to sign-in users with only personal Microsoft accounts (live)</description></item>
/// </list>
/// Note that this setting needs to be consistent with what is declared in the application registration portal</param>
/// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
/// <returns>The builder to chain the .With methods</returns>
public T WithAuthority(string authorityUri, bool validateAuthority = true)
{
if (string.IsNullOrWhiteSpace(authorityUri))
{
throw new ArgumentNullException(authorityUri);
}
Config.AuthorityInfo = AuthorityInfo.FromAadAuthority(authorityUri, validateAuthority);
return((T)this);
}
/// <summary>
/// Adds a known Azure AD authority to the application to sign-in users specifying
/// the sign-in audience (the cloud being the Azure public cloud). See https://aka.ms/msal-net-application-configuration.
/// </summary>
/// <param name="authorityAudience">Sign-in audience (one AAD organization,
/// any work and school accounts, or any work and school accounts and Microsoft personal
/// accounts.</param>
/// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
/// <returns>The builder to chain the .With methods.</returns>
public T WithAuthority(AadAuthorityAudience authorityAudience, bool validateAuthority = true)
{
CommonParameters.AddApiTelemetryFeature(ApiTelemetryFeature.WithAuthority);
if (validateAuthority)
{
CommonParameters.AddApiTelemetryFeature(ApiTelemetryFeature.WithValidateAuthority);
}
CommonParameters.AuthorityOverride = AuthorityInfo.FromAadAuthority(authorityAudience, validateAuthority);
return((T)this);
}
/// <summary>
/// Adds a known authority to the application from its Uri. See https://aka.ms/msal-net-application-configuration.
/// This constructor is mainly used for scenarios where the authority is not a standard Azure AD authority,
/// nor an ADFS authority, nor an Azure AD B2C authority. For Azure AD, even in national and sovereign clouds, prefer
/// using other overrides such as <see cref="WithAuthority(AzureCloudInstance, AadAuthorityAudience, bool)"/>
/// </summary>
/// <param name="authorityUri">Uri of the authority</param>
/// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
/// <returns>The builder to chain the .With methods</returns>
public T WithAuthority(Uri authorityUri, bool validateAuthority = true)
{
if (authorityUri == null)
{
throw new ArgumentNullException(nameof(authorityUri));
}
Config.AuthorityInfo = AuthorityInfo.FromAuthorityUri(authorityUri.ToString(), validateAuthority);
return((T)this);
}
/// <summary>
/// Adds a known Azure AD authority to the application to sign-in users from a single
/// organization (single tenant application) described by its domain name. See https://aka.ms/msal-net-application-configuration.
/// </summary>
/// <param name="cloudInstanceUri">Uri to the Azure Cloud instance (for instance
/// <c>https://login.microsoftonline.com)</c>.</param>
/// <param name="tenant">Tenant Id associated with the tenant from which to sign-in users.</param>
/// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
/// <remarks>
/// <paramref name="tenant"/> can also contain the string representation of a GUID (tenantId),
/// or even <c>common</c>, <c>organizations</c> or <c>consumers</c> but in this case
/// it's recommended to use another override (<see cref="WithAuthority(AzureCloudInstance, Guid, bool)"/>
/// and <see cref="WithAuthority(AzureCloudInstance, AadAuthorityAudience, bool)"/>
/// </remarks>
/// <returns>The builder to chain the .With methods.</returns>
public T WithAuthority(
string cloudInstanceUri,
string tenant,
bool validateAuthority = true)
{
if (string.IsNullOrWhiteSpace(cloudInstanceUri))
{
throw new ArgumentNullException(nameof(cloudInstanceUri));
}
CommonParameters.AuthorityOverride = AuthorityInfo.FromAadAuthority(new Uri(cloudInstanceUri), tenant, validateAuthority);
return((T)this);
}
private static void ValidateTypeMismatch(AuthorityInfo configAuthorityInfo, AuthorityInfo requestAuthorityInfo)
{
if (!configAuthorityInfo.IsDefaultAuthority &&
requestAuthorityInfo != null &&
configAuthorityInfo.AuthorityType != requestAuthorityInfo.AuthorityType)
{
throw new MsalClientException(
MsalError.AuthorityTypeMismatch,
MsalErrorMessage.AuthorityTypeMismatch(
configAuthorityInfo.AuthorityType,
requestAuthorityInfo.AuthorityType));
}
}
internal static Authority CreateAuthorityWithTenant(AuthorityInfo authorityInfo, string tenantId)
{
Authority initialAuthority = authorityInfo.CreateAuthority();
if (string.IsNullOrEmpty(tenantId))
{
return(initialAuthority);
}
string tenantedAuthority = initialAuthority.GetTenantedAuthority(tenantId);
return(Authority.CreateAuthority(tenantedAuthority, authorityInfo.ValidateAuthority));
}
/// <summary>
/// Adds a known Azure AD authority to the application to sign-in users from a single
/// organization (single tenant application) described by its cloud instance and its tenant ID.
/// See https://aka.ms/msal-net-application-configuration.
/// </summary>
/// <param name="azureCloudInstance">Instance of Azure Cloud (for instance Azure
/// worldwide cloud, Azure German Cloud, US government ...).</param>
/// <param name="tenantId">Tenant Id of the tenant from which to sign-in users.</param>
/// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
/// <returns>The builder to chain the .With methods.</returns>
public T WithAuthority(
AzureCloudInstance azureCloudInstance,
Guid tenantId,
bool validateAuthority = true)
{
CommonParameters.AddApiTelemetryFeature(ApiTelemetryFeature.WithAuthority);
if (validateAuthority)
{
CommonParameters.AddApiTelemetryFeature(ApiTelemetryFeature.WithValidateAuthority);
}
CommonParameters.AuthorityOverride = AuthorityInfo.FromAadAuthority(azureCloudInstance, tenantId, validateAuthority);
return((T)this);
}
/// <summary>
/// Adds a known Azure AD authority to the application to sign-in users from a single
/// organization (single tenant application) specified by its tenant ID. See https://aka.ms/msal-net-application-configuration.
/// </summary>
/// <param name="cloudInstanceUri">Azure Cloud instance.</param>
/// <param name="tenantId">GUID of the tenant from which to sign-in users.</param>
/// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
/// <returns>The builder to chain the .With methods.</returns>
public T WithAuthority(
string cloudInstanceUri,
Guid tenantId,
bool validateAuthority = true)
{
CommonParameters.AddApiTelemetryFeature(ApiTelemetryFeature.WithAuthority);
if (validateAuthority)
{
CommonParameters.AddApiTelemetryFeature(ApiTelemetryFeature.WithValidateAuthority);
}
if (string.IsNullOrWhiteSpace(cloudInstanceUri))
{
throw new ArgumentNullException(nameof(cloudInstanceUri));
}
CommonParameters.AuthorityOverride = AuthorityInfo.FromAadAuthority(new Uri(cloudInstanceUri), tenantId, validateAuthority);
return((T)this);
}
public static IAuthorityValidator CreateAuthorityValidator(AuthorityInfo authorityInfo, RequestContext requestContext)
{
switch (authorityInfo.AuthorityType)
{
case AuthorityType.Adfs:
return(new AdfsAuthorityValidator(requestContext));
case AuthorityType.Aad:
return(new AadAuthorityValidator(requestContext));
case AuthorityType.B2C:
case AuthorityType.Dsts:
return(new NullAuthorityValidator());
default:
throw new InvalidOperationException("Invalid AuthorityType");
}
}
private static async Task ValidateSameHostAsync(AuthorityInfo requestAuthorityInfo, RequestContext requestContext)
{
var configAuthorityInfo = requestContext.ServiceBundle.Config.Authority.AuthorityInfo;
if (!requestContext.ServiceBundle.Config.MultiCloudSupportEnabled &&
requestAuthorityInfo != null &&
!string.Equals(requestAuthorityInfo.Host, configAuthorityInfo.Host, StringComparison.OrdinalIgnoreCase))
{
if (requestAuthorityInfo.AuthorityType == AuthorityType.B2C)
{
throw new MsalClientException(MsalError.B2CAuthorityHostMismatch, MsalErrorMessage.B2CAuthorityHostMisMatch);
}
// This check should be done when validating the request parameters, however we've allowed
// this configuration to run for a while, so this is the better place for it.
bool usesRegional = !string.IsNullOrEmpty(requestContext.ServiceBundle.Config.AzureRegion);
if (usesRegional)
{
throw new MsalClientException(MsalError.RegionalAndAuthorityOverride, MsalErrorMessage.RegionalAndAuthorityOverride);
}
var authorityAliased = await IsAuthorityAliasedAsync(requestContext, requestAuthorityInfo).ConfigureAwait(false);
if (authorityAliased)
{
return;
}
if (configAuthorityInfo.IsDefaultAuthority)
{
throw new MsalClientException(
MsalError.AuthorityHostMismatch,
$"You did not define an authority at the application level, so it defaults to the https://login.microsoftonline.com/common. " +
$"\n\rHowever, the request is for a different cloud {requestAuthorityInfo.Host}. This is not supported - the app and the request must target the same cloud. " +
$"\n\r\n\r Add .WithAuthority(\"https://{requestAuthorityInfo.Host}/common\") in the app builder. " +
$"\n\rSee https://aka.ms/msal-net-authority-override for details");
}
throw new MsalClientException(
MsalError.AuthorityHostMismatch,
$"\n\r The application is configured for cloud {configAuthorityInfo.Host} and the request for a different cloud - {requestAuthorityInfo.Host}. This is not supported - the app and the request must target the same cloud. " +
$"\n\rSee https://aka.ms/msal-net-authority-override for details");
}
}
private string GetDefaultAuthorityInstance()
{
// Check if there's enough information in the existing config to build up a default authority.
if (!string.IsNullOrWhiteSpace(Config.Instance) && Config.AzureCloudInstance != AzureCloudInstance.None)
{
// Conflict, user has specified a string instance and the enum instance value.
throw new InvalidOperationException(MsalErrorMessage.InstanceAndAzureCloudInstanceAreMutuallyExclusive);
}
if (!string.IsNullOrWhiteSpace(Config.Instance))
{
return(Config.Instance);
}
if (Config.AzureCloudInstance != AzureCloudInstance.None)
{
return(AuthorityInfo.GetCloudUrl(Config.AzureCloudInstance));
}
return(AuthorityInfo.GetCloudUrl(AzureCloudInstance.AzurePublic));
}
private string GetAuthorityAudience()
{
if (!string.IsNullOrWhiteSpace(Config.TenantId) &&
Config.AadAuthorityAudience != AadAuthorityAudience.None &&
Config.AadAuthorityAudience != AadAuthorityAudience.AzureAdMyOrg)
{
// Conflict, user has specified a string tenantId and the enum audience value for AAD, which is also the tenant.
throw new InvalidOperationException(MsalErrorMessage.TenantIdAndAadAuthorityInstanceAreMutuallyExclusive);
}
if (Config.AadAuthorityAudience != AadAuthorityAudience.None)
{
return(AuthorityInfo.GetAadAuthorityAudienceValue(Config.AadAuthorityAudience, Config.TenantId));
}
if (!string.IsNullOrWhiteSpace(Config.TenantId))
{
return(Config.TenantId);
}
return(AuthorityInfo.GetAadAuthorityAudienceValue(AadAuthorityAudience.AzureAdAndPersonalMicrosoftAccount, string.Empty));
}
/// <summary>
/// Adds a known Azure AD authority to the application to sign-in users from a single
/// organization (single tenant application) described by its domain name. See https://aka.ms/msal-net-application-configuration.
/// </summary>
/// <param name="cloudInstanceUri">Uri to the Azure Cloud instance (for instance
/// <c>https://login.microsoftonline.com)</c></param>
/// <param name="tenant">domain name associated with the tenant from which to sign-in users</param>
/// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
/// <remarks>
/// <paramref name="tenant"/> can also contain the string representation of a GUID (tenantId),
/// or even <c>common</c>, <c>organizations</c> or <c>consumers</c> but in this case
/// it's recommended to use another override (<see cref="WithAuthority(AzureCloudInstance, Guid, bool)"/>
/// and <see cref="WithAuthority(AzureCloudInstance, AadAuthorityAudience, bool)"/>
/// </remarks>
/// <returns>The builder to chain the .With methods</returns>
public T WithAuthority(
string cloudInstanceUri,
string tenant,
bool validateAuthority = true)
{
if (string.IsNullOrWhiteSpace(cloudInstanceUri))
{
throw new ArgumentNullException(nameof(cloudInstanceUri));
}
if (string.IsNullOrWhiteSpace(tenant))
{
throw new ArgumentNullException(nameof(tenant));
}
var authorityInfo = AuthorityInfo.FromAadAuthority(
new Uri(cloudInstanceUri),
tenant,
validateAuthority);
Config.Authority = new AadAuthority(authorityInfo);
return((T)this);
}
/// <summary>
/// Overrides the tenant ID specified in the authority at the application level. This operation preserves the authority host (environment).
///
/// If an authority was not specified at the application level, the default used is https://login.microsoftonline.com/common.
/// </summary>
/// <param name="tenantId">The tenant ID, which can be either in GUID format or a domain name. Also known as the Directory ID.</param>
/// <returns>The builder to chain the .With methods.</returns>
/// <exception cref="ArgumentNullException">Thrown if tenantId is null or an empty string</exception>
/// <exception cref="MsalClientException">Thrown if the application was configured with an authority that is not AAD specific (e.g. ADFS or B2C).</exception>
/// <remarks>
/// The tenant should be more restrictive than the one configured at the application level, e.g. don't use "common".
/// Does not affect authority validation, which is specified at the application level.</remarks>
public T WithTenantId(string tenantId)
{
if (string.IsNullOrEmpty(tenantId))
{
throw new ArgumentNullException(nameof(tenantId));
}
if (!ServiceBundle.Config.Authority.AuthorityInfo.IsTenantOverrideSupported)
{
throw new MsalClientException(
MsalError.TenantOverrideNonAad,
MsalErrorMessage.TenantOverrideNonAad);
}
AadAuthority aadAuthority = (AadAuthority)ServiceBundle.Config.Authority;
string tenantedAuthority = aadAuthority.GetTenantedAuthority(tenantId, true);
var newAuthorityInfo = AuthorityInfo.FromAadAuthority(
tenantedAuthority,
ServiceBundle.Config.Authority.AuthorityInfo.ValidateAuthority);
CommonParameters.AuthorityOverride = newAuthorityInfo;
return((T)this);
}
/// <summary>
/// Adds a known Authority corresponding to an ADFS server. See https://aka.ms/msal-net-adfs
/// </summary>
/// <param name="authorityUri">Authority URL for an ADFS server</param>
/// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
/// <remarks>MSAL.NET will only support ADFS 2019 or later.</remarks>
/// <returns>The builder to chain the .With methods</returns>
public T WithAdfsAuthority(string authorityUri, bool validateAuthority = true)
{
Config.AuthorityInfo = AuthorityInfo.FromAdfsAuthority(authorityUri, validateAuthority);
return((T)this);
}
/// <summary>
/// Adds a known Azure AD authority to the application to sign-in users specifying
/// the sign-in audience (the cloud being the Azure public cloud). See https://aka.ms/msal-net-application-configuration.
/// </summary>
/// <param name="authorityAudience">Sign-in audience (one AAD organization,
/// any work and school accounts, or any work and school accounts and Microsoft personal
/// accounts.</param>
/// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
/// <returns>The builder to chain the .With methods.</returns>
public T WithAuthority(AadAuthorityAudience authorityAudience, bool validateAuthority = true)
{
CommonParameters.AuthorityOverride = AuthorityInfo.FromAadAuthority(authorityAudience, validateAuthority);
return((T)this);
}
/// <summary>
/// Adds a known Azure AD authority to the application to sign-in users specifying
/// the sign-in audience (the cloud being the Azure public cloud). See https://aka.ms/msal-net-application-configuration.
/// </summary>
/// <param name="authorityAudience">Sign-in audience (one AAD organization,
/// any work and school accounts, or any work and school accounts and Microsoft personal
/// accounts</param>
/// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
/// <returns>The builder to chain the .With methods</returns>
public T WithAuthority(AadAuthorityAudience authorityAudience, bool validateAuthority = true)
{
Config.AuthorityInfo = AuthorityInfo.FromAadAuthority(authorityAudience, validateAuthority);
return((T)this);
}
/// <summary>
/// Adds a known authority to the application from its Uri. See https://aka.ms/msal-net-application-configuration.
/// This constructor is mainly used for scenarios where the authority is not a standard Azure AD authority,
/// nor an ADFS authority, nor an Azure AD B2C authority. For Azure AD, even in national and sovereign clouds, prefer
/// using other overrides such as <see cref="WithAuthority(AzureCloudInstance, AadAuthorityAudience, bool)"/>
/// </summary>
/// <param name="authorityUri">Uri of the authority</param>
/// <param name="validateAuthority">Whether the authority should be validated against the server metadata.</param>
/// <returns>The builder to chain the .With methods</returns>
public T WithAuthority(Uri authorityUri, bool validateAuthority = true)
{
Config.AuthorityInfo = AuthorityInfo.FromAuthorityUri(authorityUri.ToString(), validateAuthority);
return((T)this);
}
/// <summary>
/// Figures out the authority based on the authority from the config and the authority from the request,
/// and optionally the homeAccountTenantId, which has an impact on AcquireTokenSilent
///
/// The algorithm is:
///
/// 1. If there is no request authority (i.e. no authority override), use the config authority.
/// 1.1. For AAD, if the config authority is "common" etc, try to use the tenanted version with the home account tenant ID
/// 2. If there is a request authority, try to use it.
/// 2.1. If the request authority is not "common", then use it
/// 2.2 If the request authority is "common", ignore it, and use 1.1
///
/// Special cases:
///
/// - if the authority is not defined at the application level and the request level is not AAD, use the request authority
/// - if the authority is defined at app level, and the request level authority of is of different type, throw an exception
///
/// </summary>
public static async Task <Authority> CreateAuthorityForRequestAsync(RequestContext requestContext,
AuthorityInfo requestAuthorityInfo,
IAccount account = null)
{
var configAuthorityInfo = requestContext.ServiceBundle.Config.Authority.AuthorityInfo;
if (configAuthorityInfo == null)
{
throw new ArgumentNullException(nameof(configAuthorityInfo));
}
ValidateTypeMismatch(configAuthorityInfo, requestAuthorityInfo);
await ValidateSameHostAsync(requestAuthorityInfo, requestContext).ConfigureAwait(false);
AuthorityInfo nonNullAuthInfo = requestAuthorityInfo ?? configAuthorityInfo;
switch (configAuthorityInfo.AuthorityType)
{
// ADFS is tenant-less, no need to consider tenant
case AuthorityType.Adfs:
return(new AdfsAuthority(nonNullAuthInfo));
case AuthorityType.Dsts:
return(new DstsAuthority(nonNullAuthInfo));
case AuthorityType.B2C:
return(new B2CAuthority(nonNullAuthInfo));
case AuthorityType.Aad:
bool updateEnvironment = requestContext.ServiceBundle.Config.MultiCloudSupportEnabled && account != null;
if (requestAuthorityInfo == null)
{
return(updateEnvironment ?
CreateAuthorityWithTenant(CreateAuthorityWithEnvironment(configAuthorityInfo, account.Environment).AuthorityInfo, account?.HomeAccountId?.TenantId) :
CreateAuthorityWithTenant(configAuthorityInfo, account?.HomeAccountId?.TenantId));
}
// In case the authority is defined only at the request level
if (configAuthorityInfo.IsDefaultAuthority &&
requestAuthorityInfo.AuthorityType != AuthorityType.Aad)
{
return(requestAuthorityInfo.CreateAuthority());
}
var requestAuthority = updateEnvironment ?
new AadAuthority(CreateAuthorityWithEnvironment(requestAuthorityInfo, account?.Environment).AuthorityInfo) :
new AadAuthority(requestAuthorityInfo);
if (!requestAuthority.IsCommonOrganizationsOrConsumersTenant())
{
return(requestAuthority);
}
return(updateEnvironment ?
CreateAuthorityWithTenant(CreateAuthorityWithEnvironment(configAuthorityInfo, account.Environment).AuthorityInfo, account?.HomeAccountId?.TenantId) :
CreateAuthorityWithTenant(configAuthorityInfo, account?.HomeAccountId?.TenantId));
default:
throw new MsalClientException(
MsalError.InvalidAuthorityType,
"Unsupported authority type");
}
}
/// <summary>
/// Adds a known authority corresponding to an Azure AD B2C policy.
/// See https://aka.ms/msal-net-b2c-specificities
/// </summary>
/// <param name="authorityUri">Azure AD B2C authority, including the B2C policy (for instance
/// <c>"https://fabrikamb2c.b2clogin.com/tfp/{Tenant}/{policy}</c></param>)
/// <returns>The builder to chain the .With methods</returns>
public T WithB2CAuthority(string authorityUri)
{
Config.AuthorityInfo = AuthorityInfo.FromB2CAuthority(authorityUri);
return((T)this);
}
private static async Task <bool> IsAuthorityAliasedAsync(RequestContext requestContext, AuthorityInfo requestAuthorityInfo)
{
var instanceDiscoveryManager = requestContext.ServiceBundle.InstanceDiscoveryManager;
var result = await instanceDiscoveryManager.GetMetadataEntryAsync(requestContext.ServiceBundle.Config.Authority.AuthorityInfo, requestContext).ConfigureAwait(false);
return(result.Aliases.Any(alias => alias.Equals(requestAuthorityInfo.Host)));
}
