/// <inheritdoc />
internal override void Validate()
{
base.Validate();
Config.ClientCredential = new ClientCredentialWrapper(Config);
if (string.IsNullOrWhiteSpace(Config.RedirectUri))
{
Config.RedirectUri = Constants.DefaultConfidentialClientRedirectUri;
}
if (!Uri.TryCreate(Config.RedirectUri, UriKind.Absolute, out Uri uriResult))
{
throw new InvalidOperationException(MsalErrorMessage.InvalidRedirectUriReceived(Config.RedirectUri));
}
if (!string.IsNullOrEmpty(Config.AzureRegion) && Config.AuthorityInfo.ValidateAuthority == true)
{
throw new MsalClientException(
MsalError.RegionalAuthorityValidation,
"You configured both Regional Authority and Authority Validation. Authority validation is not currently supported for regional Azure authorities." +
"You can set the validateAuthority flag to false to use Azure Regional authority. Do not disable authority validation if you read the authority from an untrusted source, " +
"for example from the WWWAuthenticate header of an HTTP request that resulted in a 401 response. See https://aka.ms/msal-net-regional for details.");
}
}
/// <inheritdoc />
internal override void Validate()
{
base.Validate();
//ADFS does not require client id to be in the form of a GUID.
if (Config.Authority.AuthorityInfo?.AuthorityType != AuthorityType.Adfs && !Guid.TryParse(Config.ClientId, out _))
{
throw new MsalClientException(MsalError.ClientIdMustBeAGuid, MsalErrorMessage.ClientIdMustBeAGuid);
}
if (Config.IsBrokerEnabled && Config.MultiCloudSupportEnabled)
{
// TODO: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/3139
throw new NotSupportedException(MsalErrorMessage.MultiCloudSupportUnavailable);
}
if (string.IsNullOrWhiteSpace(Config.RedirectUri))
{
Config.RedirectUri = PlatformProxyFactory.CreatePlatformProxy(null)
.GetDefaultRedirectUri(Config.ClientId, Config.UseRecommendedDefaultRedirectUri);
}
if (!Uri.TryCreate(Config.RedirectUri, UriKind.Absolute, out Uri uriResult))
{
throw new InvalidOperationException(MsalErrorMessage.InvalidRedirectUriReceived(Config.RedirectUri));
}
}
/// <summary>
/// Brokers enable Single-Sign-On, device identification,
/// and application identification verification. To enable one of these features,
/// you need to set the WithBroker() parameters to true. See https://aka.ms/msal-net-brokers
/// for more information on platform specific settings required to enable the broker.
///
/// On iOS and Android, Authenticator and Company Portal serve as brokers.
/// On Windows, WAM (Windows Account Manager) serves as broker. See https://aka.ms/msal-net-wam
/// </summary>
/// <param name="enableBroker">Determines whether or not to use broker with the default set to true.</param>
/// <returns>A <see cref="PublicClientApplicationBuilder"/> from which to set more
/// parameters, and to create a public client application instance</returns>
/// <remarks>If your app uses .NET classic or .NET Core 3.x, and you wish to use the Windows broker,
/// please install the nuget package Microsoft.Identity.Client.Desktop and call .WithWindowsBroker(true)</remarks>
public PublicClientApplicationBuilder WithBroker(bool enableBroker = true)
{
#if NET45
throw new PlatformNotSupportedException("The Windows broker is not available on .NET Framework 4.5, please use at least .NET Framework 4.6.2");
#endif
#if NET461 || NET_CORE
if (Config.BrokerCreatorFunc == null)
{
throw new PlatformNotSupportedException(
"The Windows broker is not directly available on MSAL for .NET Framework or .NET Core 3.x" +
" To use it, please install the nuget package named Microsoft.Identity.Client.Desktop " +
"and call the extension method .WithWindowsBroker(true)");
}
#endif
#if NET461 || WINDOWS_APP || NET5_WIN
if (!Config.ExperimentalFeaturesEnabled)
{
throw new MsalClientException(
MsalError.ExperimentalFeature,
MsalErrorMessage.ExperimentalFeature(nameof(WithBroker)));
}
#endif
#pragma warning disable CS0162 // Unreachable code detected
Config.IsBrokerEnabled = enableBroker;
return(this);
#pragma warning restore CS0162 // Unreachable code detected
}
internal void ValidateUseOfExperimentalFeature([System.Runtime.CompilerServices.CallerMemberName] string memberName = "")
{
if (!ServiceBundle.Config.ExperimentalFeaturesEnabled)
{
throw new MsalClientException(
MsalError.ExperimentalFeature,
MsalErrorMessage.ExperimentalFeature(memberName));
}
}
/// <summary>
/// Specifies if the token request should be sent to regional ESTS.
/// If set, MSAL tries to auto-detect and use a regional Azure authority. This helps keep the authentication traffic inside the Azure region.
/// If the region cannot be determined (e.g. not running on Azure), MSALClientException is thrown with error code region_discovery_failed.
/// This feature requires configuration at tenant level.
/// By default the value for this variable is false.
/// </summary>
/// <param name="autoDetectRegion"><c>true</c> if the token request should be sent to regional ESTS. Otherwise <c>false</c>.
/// The default is <c>false</c></param>
/// <returns>The builder to chain the .With methods</returns>
public AcquireTokenForClientParameterBuilder WithAzureRegion(bool autoDetectRegion)
{
if (!ServiceBundle.Config.ExperimentalFeaturesEnabled)
{
throw new MsalClientException(
MsalError.ExperimentalFeature,
MsalErrorMessage.ExperimentalFeature(nameof(WithAzureRegion)));
}
CommonParameters.AddApiTelemetryFeature(ApiTelemetryFeature.WithAzureRegion, autoDetectRegion);
Parameters.AutoDetectRegion = autoDetectRegion;
return(this);
}
private static void ValidateTypeMismatch(AuthorityInfo configAuthorityInfo, AuthorityInfo requestAuthorityInfo)
{
if (!configAuthorityInfo.IsDefaultAuthority &&
requestAuthorityInfo != null &&
configAuthorityInfo.AuthorityType != requestAuthorityInfo.AuthorityType)
{
throw new MsalClientException(
MsalError.AuthorityTypeMismatch,
MsalErrorMessage.AuthorityTypeMismatch(
configAuthorityInfo.AuthorityType,
requestAuthorityInfo.AuthorityType));
}
}
[System.ComponentModel.EditorBrowsable(System.ComponentModel.EditorBrowsableState.Never)] // hide confidential client on mobile
#endif
public PublicClientApplicationBuilder WithBroker(bool enableBroker = true)
{
#if DESKTOP || WINDOWS_APP
if (!Config.ExperimentalFeaturesEnabled)
{
throw new MsalClientException(
MsalError.ExperimentalFeature,
MsalErrorMessage.ExperimentalFeature(nameof(WithBroker)));
}
#endif
Config.IsBrokerEnabled = enableBroker;
return(this);
}
/// <inheritdoc />
internal override void Validate()
{
base.Validate();
if (string.IsNullOrWhiteSpace(Config.RedirectUri))
{
Config.RedirectUri = PlatformProxyFactory.CreatePlatformProxy(null)
.GetDefaultRedirectUri(Config.ClientId, Config.UseRecommendedDefaultRedirectUri);
}
if (!Uri.TryCreate(Config.RedirectUri, UriKind.Absolute, out Uri uriResult))
{
throw new InvalidOperationException(MsalErrorMessage.InvalidRedirectUriReceived(Config.RedirectUri));
}
}
/// <inheritdoc />
internal override void Validate()
{
base.Validate();
Config.ClientCredential = new ClientCredentialWrapper(Config);
if (string.IsNullOrWhiteSpace(Config.RedirectUri))
{
Config.RedirectUri = Constants.DefaultConfidentialClientRedirectUri;
}
if (!Uri.TryCreate(Config.RedirectUri, UriKind.Absolute, out Uri uriResult))
{
throw new InvalidOperationException(MsalErrorMessage.InvalidRedirectUriReceived(Config.RedirectUri));
}
}
/// <summary>
/// Sets the certificate associated with the application.
/// Applicable to first-party applications only, this method also allows to specify
/// if the <see href="https://datatracker.ietf.org/doc/html/rfc7517#section-4.7">x5c claim</see> should be sent to Azure AD.
/// Sending the x5c enables application developers to achieve easy certificate roll-over in Azure AD:
/// this method will send the certificate chain to Azure AD along with the token request,
/// so that Azure AD can use it to validate the subject name based on a trusted issuer policy.
/// This saves the application admin from the need to explicitly manage the certificate rollover
/// (either via portal or PowerShell/CLI operation). For details see https://aka.ms/msal-net-sni
/// </summary>
/// <param name="certificate">The X509 certificate used as credentials to prove the identity of the application to Azure AD.</param>
/// <param name="sendX5C">To send X5C with every request or not. The default is <c>false</c></param>
/// <remarks>You should use certificates with a private key size of at least 2048 bytes. Future versions of this library might reject certificates with smaller keys. </remarks>
public ConfidentialClientApplicationBuilder WithCertificate(X509Certificate2 certificate, bool sendX5C)
{
if (certificate == null)
{
throw new ArgumentNullException(nameof(certificate));
}
if (!certificate.HasPrivateKey)
{
throw new MsalClientException(MsalError.CertWithoutPrivateKey, MsalErrorMessage.CertMustHavePrivateKey(nameof(certificate)));
}
Config.ClientCredential = new CertificateClientCredential(certificate);
Config.SendX5C = sendX5C;
return(this);
}
/// <summary>
/// Modifies the token acquisition request so that the acquired token is a Proof of Possession token (PoP), rather than a Bearer token.
/// PoP tokens are similar to Bearer tokens, but are bound to the HTTP request and to a cryptographic key, which MSAL can manage on Windows.
/// See https://aka.ms/msal-net-pop
/// </summary>
/// <param name="popAuthenticationConfiguration">Configuration properties used to construct a proof of possession request.</param>
/// <remarks>
/// <list type="bullet">
/// <item> An Authentication header is automatically added to the request</item>
/// <item> The PoP token is bound to the HTTP request, more specifically to the HTTP method (GET, POST, etc.) and to the Uri (path and query, but not query parameters). </item>
/// <item> MSAL creates, reads and stores a key in memory that will be cycled every 8 hours.</item>
/// <item>This is an experimental API. The method signature may change in the future without involving a major version upgrade.</item>
/// </list>
/// </remarks>
public T WithProofOfPossession(PoPAuthenticationConfiguration popAuthenticationConfiguration)
{
if (!ServiceBundle.Config.ExperimentalFeaturesEnabled)
{
throw new MsalClientException(
MsalError.ExperimentalFeature,
MsalErrorMessage.ExperimentalFeature(nameof(WithProofOfPossession)));
}
CommonParameters.PopAuthenticationConfiguration = popAuthenticationConfiguration ?? throw new ArgumentNullException(nameof(popAuthenticationConfiguration));
CommonParameters.AddApiTelemetryFeature(ApiTelemetryFeature.WithPoPScheme);
CommonParameters.AuthenticationScheme = new PoPAuthenticationScheme(CommonParameters.PopAuthenticationConfiguration, ServiceBundle);
return(this as T);
}
/// <inheritdoc />
internal override void Validate()
{
base.Validate();
int countOfCredentialTypesSpecified = 0;
if (!string.IsNullOrWhiteSpace(Config.ClientSecret))
{
countOfCredentialTypesSpecified++;
}
if (Config.ClientCredentialCertificate != null)
{
countOfCredentialTypesSpecified++;
}
if (Config.ClientCredential != null)
{
countOfCredentialTypesSpecified++;
}
if (countOfCredentialTypesSpecified > 1)
{
throw new InvalidOperationException(MsalErrorMessage.ClientSecretAndCertificateAreMutuallyExclusive);
}
if (!string.IsNullOrWhiteSpace(Config.ClientSecret))
{
Config.ClientCredential = new ClientCredentialWrapper(Config.ClientSecret);
}
if (Config.ClientCredentialCertificate != null)
{
Config.ClientCredential = new ClientCredentialWrapper(new ClientAssertionCertificateWrapper(Config.ClientCredentialCertificate));
}
if (string.IsNullOrWhiteSpace(Config.RedirectUri))
{
Config.RedirectUri = Constants.DefaultConfidentialClientRedirectUri;
}
if (!Uri.TryCreate(Config.RedirectUri, UriKind.Absolute, out Uri uriResult))
{
throw new InvalidOperationException(MsalErrorMessage.InvalidRedirectUriReceived(Config.RedirectUri));
}
}
/// <summary>
/// Brokers enable Single-Sign-On, device identification,
/// and application identification verification. To enable one of these features,
/// you need to set the WithBroker() parameters to true. See https://aka.ms/msal-net-brokers
/// for more information on platform specific settings required to enable the broker.
///
/// On iOS and Android, Authenticator and Company Portal serve as brokers.
/// On Windows, WAM (Windows Account Manager) serves as broker. See https://aka.ms/msal-net-wam
/// </summary>
/// <param name="enableBroker">Determines whether or not to use broker with the default set to true.</param>
/// <returns>A <see cref="PublicClientApplicationBuilder"/> from which to set more
/// parameters, and to create a public client application instance</returns>
/// <remarks>If your app uses .NET classic or .NET Core 3.x, and you wish to use the Windows broker,
/// please install the nuget package Microsoft.Identity.Client.Desktop and call .WithDesktopFeatures()</remarks>
public PublicClientApplicationBuilder WithBroker(bool enableBroker = true)
{
#pragma warning disable CS0162 // Unreachable code detected
#if NET45
throw new PlatformNotSupportedException(
"The Windows broker is not available on .NET Framework 4.5, please use at least .NET Framework 4.6.2");
#endif
#if NET461
if (Config.BrokerCreatorFunc == null)
{
throw new PlatformNotSupportedException(
"The Windows broker is not directly available on MSAL for .NET Framework" +
" To use it, please install the nuget package named Microsoft.Identity.Client.Desktop " +
"and call the extension method .WithWindowsBroker() first.");
}
#endif
#if NET_CORE
if (Config.BrokerCreatorFunc == null && DesktopOsHelper.IsWindows())
{
throw new PlatformNotSupportedException(
"If you have a Windows application which targets net5 or net5-windows, please change the target to net5-windows10.0.17763.0. \nYour app can still run on earlier versions of Windows such as Win7 if you add <SupportedOSPlatformVersion>7</SupportedOSPlatformVersion> in the csproj.\n The broker (WAM) is available only on Win10 and this library will fallback to a browser on older systems. " +
"\n\r\n\rIf you have a NET5 cross-platform (Windows, Mac, Linux) application, please dual target net5 and net5-windows10.0.17763.0. Your installer should deploy the net5 version on Mac and Linux and the net5-window10.0.17763.0 on Windows." +
"\n\r\n\rIf you have a .NET Core 3.1 application, please install the nuget package named Microsoft.Identity.Client.Desktop and call the extension method .WithWindowsBroker() first. " +
"\n\rFor details see https://aka.ms/msal-net-wam and https://github.com/dotnet/designs/blob/main/accepted/2020/platform-checks/platform-checks.md ");
}
#endif
#if NET461 || WINDOWS_APP || NET5_WIN
if (!Config.ExperimentalFeaturesEnabled)
{
throw new MsalClientException(
MsalError.ExperimentalFeature,
MsalErrorMessage.ExperimentalFeature(nameof(WithBroker)));
}
#endif
Config.IsBrokerEnabled = enableBroker;
return(this);
#pragma warning restore CS0162 // Unreachable code detected
}
[System.ComponentModel.EditorBrowsable(System.ComponentModel.EditorBrowsableState.Never)] // hide confidential client on mobile
#endif
public AcquireTokenSilentParameterBuilder WithProofOfPossession(PoPAuthenticationConfiguration popAuthenticationConfiguration)
{
ConfidentialClientApplication.GuardMobileFrameworks();
if (!ServiceBundle.Config.ExperimentalFeaturesEnabled)
{
throw new MsalClientException(
MsalError.ExperimentalFeature,
MsalErrorMessage.ExperimentalFeature(nameof(WithProofOfPossession)));
}
CommonParameters.PopAuthenticationConfiguration = popAuthenticationConfiguration ?? throw new ArgumentNullException(nameof(popAuthenticationConfiguration));
CommonParameters.AddApiTelemetryFeature(ApiTelemetryFeature.WithPoPScheme);
CommonParameters.AuthenticationScheme = new PoPAuthenticationScheme(CommonParameters.PopAuthenticationConfiguration, ServiceBundle);
return(this);
}
/// <inheritdoc />
internal override void Validate()
{
base.Validate();
if (string.IsNullOrWhiteSpace(Config.RedirectUri))
{
Config.RedirectUri = Constants.DefaultConfidentialClientRedirectUri;
}
if (!Uri.TryCreate(Config.RedirectUri, UriKind.Absolute, out Uri uriResult))
{
throw new InvalidOperationException(MsalErrorMessage.InvalidRedirectUriReceived(Config.RedirectUri));
}
if (!string.IsNullOrEmpty(Config.AzureRegion) && (Config.CustomInstanceDiscoveryMetadata != null || Config.CustomInstanceDiscoveryMetadataUri != null))
{
throw new MsalClientException(MsalError.RegionDiscoveryWithCustomInstanceMetadata, MsalErrorMessage.RegionDiscoveryWithCustomInstanceMetadata);
}
}
/// <summary>
/// Brokers enable Single-Sign-On, device identification,
/// and application identification verification. To enable one of these features,
/// you need to set the WithBroker() parameters to true. See https://aka.ms/msal-net-brokers
/// for more information on platform specific settings required to enable the broker.
///
/// On iOS and Android, Authenticator and Company Portal serve as brokers.
/// On Windows, WAM (Windows Account Manager) serves as broker. See https://aka.ms/msal-net-wam
/// </summary>
/// <param name="enableBroker">Determines whether or not to use broker with the default set to true.</param>
/// <returns>A <see cref="PublicClientApplicationBuilder"/> from which to set more
/// parameters, and to create a public client application instance</returns>
/// <remarks>If your app uses .NET classic or .NET Core 3.x, and you wish to use the Windows broker,
/// please install the nuget package Microsoft.Identity.Client.Desktop and call .WithDesktopFeatures()</remarks>
public PublicClientApplicationBuilder WithBroker(bool enableBroker = true)
{
#pragma warning disable CS0162 // Unreachable code detected
#if NET45
throw new PlatformNotSupportedException(
"The Windows broker is not available on .NET Framework 4.5, please use at least .NET Framework 4.6.2");
#endif
#if NET461
if (Config.BrokerCreatorFunc == null)
{
throw new PlatformNotSupportedException(
"The Windows broker is not directly available on MSAL for .NET Framework" +
" To use it, please install the nuget package named Microsoft.Identity.Client.Desktop " +
"and call the extension method .WithDesktopFeatures() first.");
}
#endif
#if NET_CORE
if (Config.BrokerCreatorFunc == null && Platforms.Features.DesktopOs.DesktopOsHelper.IsWindows())
{
throw new PlatformNotSupportedException(
"If you have a Windows application which targets net5 or net5-windows, please change the target to net5-windows10.0.17763.0, which provides support from Win7 to Win10. For details see https://github.com/dotnet/designs/blob/main/accepted/2020/platform-checks/platform-checks.md" +
"If you have a cross-platform (Windows, Mac, Linux) application which targets net5, please dual target net5 and net5-windows10.0.17763.0. Your installer should deploy the net5 version on Mac and Linux and the net5-window10.0.17763.0 on Win7-Win10. For details see https://github.com/dotnet/designs/blob/main/accepted/2020/platform-checks/platform-checks.md" +
"If you have a .NET Core 3.1 application, please install the nuget package named Microsoft.Identity.Client.Desktop and call the extension method .WithDesktopFeatures() first.");
}
#endif
#if NET461 || WINDOWS_APP || NET5_WIN
if (!Config.ExperimentalFeaturesEnabled)
{
throw new MsalClientException(
MsalError.ExperimentalFeature,
MsalErrorMessage.ExperimentalFeature(nameof(WithBroker)));
}
#endif
Config.IsBrokerEnabled = enableBroker;
return(this);
#pragma warning restore CS0162 // Unreachable code detected
}
// Allows testing the PoP flow with any crypto. Consider making this public.
internal T WithProofOfPosession(HttpRequestMessage httpRequestMessage, IPoPCryptoProvider popCryptoProvider)
{
if (!ServiceBundle.Config.ExperimentalFeaturesEnabled)
{
throw new MsalClientException(
MsalError.ExperimentalFeature,
MsalErrorMessage.ExperimentalFeature(nameof(WithProofOfPosession)));
}
if (httpRequestMessage is null)
{
throw new ArgumentNullException(nameof(httpRequestMessage));
}
if (popCryptoProvider == null)
{
throw new ArgumentNullException(nameof(popCryptoProvider));
}
CommonParameters.AddApiTelemetryFeature(ApiTelemetryFeature.WithPoPScheme);
CommonParameters.AuthenticationScheme = new PoPAuthenticationScheme(httpRequestMessage, popCryptoProvider);
return(this as T);
}
