[Feature Request] Id.Web supports CIAM custom user domains

[jennyf19]

API experience

Add support for CIAM CUD authorities. See https://microsoft-my.sharepoint-df.com/:w:/p/jmprieur/EbtMcuWkuyRKnWTR8Fg9EAsBMn22Sy5Kni6YWOxTfYWjtg?e=GGad0r for spec

"AzureAd": {
    "ClientId": "12345-cdd4-46d4-9e68-db03240b4baa",      
    "Authority": "https://cats.ciamextensibility.com/111111-43bb-4ff9-89af-30ed8fe31c6d/v2.0"
},

Technical details

In MergedOptions:

• Add a new boolean property named PreserveAuthority
• in MergedOptions.ParseAuthorityIfNecessary, only set the mergedOptions.TenantId if mergedOptions.PreserveAuthority is false (as MSAL.NET does not want a tenantId when .WithOidcAuthority is used)

In AuthorityHelper.BuildCiamAuthorityIfNeeded, have a new out bool parameter preserveAuthority, which will be set to false if the authority is a CiamLogin.com authority and otherwise to true

In MicrosoftIdentityWebApiAuthenticationBuilderExtensions.cs and WebAppExtensions\MicrosoftIdentityWebAppAuthenticationBuilderExtensions.cs, after calling AuthorityHelper.BuildCiamAuthorityIfNeeded, set mergedOptions.PreserveAuthority based on the value of the out parameter.

In TokenAcquisition.BuildConfidentialClientApplicationAsync()

• if mergedOptions.PreserveAuthority is true, set the authority to mergedOptions.Authority and call builder.WithOidcAuthority(authority),
  otherwise do as today (WithAuthority, and WithB2CAuthority)

Need to MSAL 4.60.0-preview to get builder.WithOidcAuthority(authority)

Testing resources

MSAL 4.60.0-preview and a CIAM CUD test tenant can be found at https://microsofteur-my.sharepoint.com/:f:/g/personal/bogavril_microsoft_com/EoEwmcgN3oJAplznhkE-OosBAQc4xl7I2sNVC8TfDFR_JA?e=8M82R9

CIAM CUD is not currently available in the Lab.

[bgavrilMS]

Hi @jennyf19 - would you like MSAL to drop its restriction on setting the tenant for OIDC authorities? This could help ID.Web looks for the tid claim in the client token and uses WithTenantId when performing OBO. https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/main/tests/Microsoft.Identity.Test.Unit/ApiConfigTests/AuthorityTests.cs#L179

I think the web api use of WithTenantId only makes sense for AAD's authority which end in "common" or "organization" anyway.

[bgavrilMS]

I'd like to add a few acceptance tests to see if this matches my understanding. Can you please review this @jennyf19

Authority type	Id.Web config	OIDC document	MSAL API	MSAL example
AAD common	Instance: https://login.microsoftonline.com Tenant: common	https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration	WithAuthority	WithAuthority("https://login.microsoftonline.com/common")
AAD tenanted	Instance: https://login.microsoftonline.com/ Tenant: 12345	https://login.microsoftonline.com/12345/v2.0/.well-known/openid-configuration	WithAuthority	WithAuthority("https://login.microsoftonline.com/12345")
non-public AAD common	Instance: https://login.windows-ppe.net Tenant: common	https://login.windows-ppe.net/common/v2.0/.well-known/openid-configuration	WithAuthority	WithAuthority("https://login.windows-ppe.net/common")
B2C	??	https://cats.b2clogin.com/cats.onmicrosoft.com/B2C_1_signupsignin1/v2.0/.well-known/openid-configuration	WithB2CAuthority	WithB2CAuthority("https://cats.b2clogin.com/cats.onmicrosoft.com/tfp/B2C_1_signupsignin1")
B2C custom authority	??		WithB2CAuthority
B2C custom authority with v2	??		WithB2CAuthority
CIAM non-CUD	Authority: https://idgciamdemo.ciamlogin.com	https://idgciamdemo.ciamlogin.com/idgciamdemo.onmicrosoft.com/v2.0/.well-known/openid-configuration	WithAuthority	WithAuthority("https://idgciamdemo.ciamlogin.com/") or WithAuthority("https://idgciamdemo.ciamlogin.com/idgciamdemo.onmicrosoft.com")
CIAM CUD (new!)	Authority: https://cats.ciamextensibility.com/111111-43bb-4ff9-89af-30ed8fe31c6d/v2.0	OIDC: https://cats.ciamextensibility.com/111111-43bb-4ff9-89af-30ed8fe31c6d/v2.0/.well-known/openid-configuration	WithOidcAuthority	WithOidcAuthority("https://cats.ciamextensibility.com/111111-43bb-4ff9-89af-30ed8fe31c6d/v2.0")
dSTS	?		WithOidcAuthority ?
ADFS (not supported)	?		WithOidcAuthority ?

[jmprieur]

• B2C uses Instance and Domain, plus the default policy
• B2C custom authority are not supported
• dSTS: See the MISE doc

[benjaminclewis]

This change is breaking my AAD-tenanted auth scenario, which now complains that it can't use TenantId with "Generic" authority.

[jmprieur]

@benjaminclewis : when you use Authority, don't use Tenant. If you want to use Tenant, use Instance.
See #2741

[benjaminclewis]

I wasn't setting Authority, at least not in my appsettings or anywhere explicitly that I'm aware of. I can go back and double check when I have a moment but I worked around my issue by rolling back to 2.17.1 for now.

[benjaminclewis]

I've confirmed I'm not setting Authority, it appears to be getting set in internal Microsoft.Identity.Web code, in MergedOptions.UpdateMergedOptionsFromMicrosoftIdentityApplicationOptions, which gets it as (Instance?.TrimEnd('/') + "/" + TenantId + "/v2.0") if it's null in MicrosoftIdentityApplicationOptions.

[jmprieur]

@benjaminclewis : would you mind sharing your appsettings.json or AddMicrosoftWebXXX code?

[benjaminclewis]

"AzureAd": {
	"ClientId": "<CLIENT_ID>",
	"Instance": "https://login.microsoftonline.com/",
	"TenantId": "<TENANT_ID>",
	"Audience": "api://<TENANT_ID>/MyClientApp",
	"ClientSecret": "<CLIENT_SECRET>",
	"RedirectUri": "https://localhost:6001"
}