[Bug] Token acquisition from different tenant not working

[zvrba]

Which version of Microsoft Identity Web are you using?
Commit ID 8a043b7 , but the same problem experienced also with -master dated 2020-07-21.

Where is the issue?

• Web API
  • Protected web APIs call downstream web APIs

Is this a new or an existing app?
The app is in production and I have upgraded to a new version of Microsoft Identity Web.

Repro

            var tokenAcquisition = httpContext.RequestServices.GetRequiredService<Microsoft.Identity.Web.ITokenAcquisition>();
            var tid = httpContext.User.FindFirst("tid").Value;
            return tokenAcquisition.GetAccessTokenForUserAsync(new string[] { scope }, tid);

Expected behavior
Token issued by tenant B.

Actual behavior
When user in tenant A is a guest user in tenant B (identified by "tid"), this call returns a token issued by tenant A instead of token issued by tenant B ("tid").

Possible solution
Please see the attached patch. This is the same bug I previously reported for an older version.

TokenAcquisition.cs.txt

[jennyf19]

@zvrba I'm not able to repro this at the moment. Could you verify if the tenant admin has disabled user consent?

[zvrba]

The application has a tenant-wide admin consent. I'm not sure which setting you're asking about, so I'm attaching a screenshot below.

Further details:

• The admin of tenant B has granted a tenant-wide consent for the application
• The user authenticates to the /common endpoint end receives a Graph token from its home tenant (tenant A)
• Then my web api uses the above snippet with "tid" set to tenant B (where the user is a guest) to request another Graph token.
• Using the token to query for a specific object in the directory fails with "Not found" because the token's issuer is A instead of B.

Debugging showed me a bunch of MSAL exceptions ("login hint not provided") which i traced back to the == vs != fix in the provided patch. Adding the authority to application builder may or may not have had an effect.

[jennyf19]

@zvrba thanks for the additional info. I didn't see the patch in the original post, will take a look. thx.

[jennyf19]

This issue is fixed in microsoft identity web, but there is an additional fix needed in msal .net, so moving this to blocked for now. That work will be in progress soon.

[jennyf19]

moving this to done for us, as MSAL .NET has a fix that will go out in their next release.

[jennyf19]

Included in 0.2.2-preview release