Skip to content

[Bug] AcquireTokenOnBehalfOf does not respect the WithAuthority modifer #1965

New issue
New issue
Closed
Closed
[Bug] AcquireTokenOnBehalfOf does not respect the WithAuthority modifer#1965
Assignees
bgavrilMS
Labels
bug
Milestone
 
4.17.1
@jmprieur

Description

@jmprieur
jmprieur
opened on Jul 31, 2020

Which Version of MSAL are you using ?
4.17.0

Platform

What authentication flow has the issue?

  • Desktop / Mobile
    • Interactive
    • Integrated Windows Auth
    • Username Password
    • Device code flow (browserless)
  • Web App
    • Authorization code
  • Web API
    • [x ] OBO

Repro

See also customer bug in Microsoft.Identity.Web: [Bug] Token acquisition from different tenant not working In progress P1 bug #344

  • Adele is a user of tenant contosodev, which is also a guest user of msidentitysamplestesting
  • Developer has a web API that wants to acquire a token for Graph (user.read) on behalf of Adele but for each of the tenants (as the display name of Adele is not the same depending on the tenant). The admin consent was done for the web api in both tenants.

The Microsoft.Identity.Web code in the controller action of the Web API is:

string token1 = await _tokenAcquisition.GetAccessTokenForUserAsync(new string[] { "user.read" }, 
                                   "7f58f645-c190-4ce5-9de4-e2b7acd2a6ab").ConfigureAwait(false);
string token2 = await _tokenAcquisition.GetAccessTokenForUserAsync(new string[] { "user.read" }, 
                                   "3ebb7dbb-24a5-4083-b60c-5a5977aabf3d").ConfigureAwait(false);

Which translates into

var result1 = await _application
                 .AcquireTokenOnBehalfOf(scopes.Except(_scopesRequestedByMsal), 
                                        new UserAssertion(tokenUsedToCallTheWebApi))
                                        .WithAuthority(authorityOfTenant1)
                                        .ExecuteAsync()
                                        .ConfigureAwait(false);

var result2 = await _application
                 .AcquireTokenOnBehalfOf(scopes.Except(_scopesRequestedByMsal), 
                                        new UserAssertion(tokenUsedToCallTheWebApi))
                                        .WithAuthority(authorityOfTenant2)
                                        .ExecuteAsync()
                                        .ConfigureAwait(false);

token1 = result1.AccessToken;
token2 = result2.AccessToken;

Expected behavior
token1 and token2 should be different (in particular have a different issuer)

Actual behavior
token1 and token2 are the same as the authority does not seem to be respected when doing the cache looking inside OBO

Note
@jennyf19 investigated and confirmed the issue by disabling the cache looking in OBO and got the right tokens (jennyf/obo branch in MSAL.NET, and jennyf/tenants in Microsoft.Identity.Web.
Ask Jean-Marc or Jenny for the app coordinates and the repro user (Adele)

Metadata

Metadata

Assignees

Labels

bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions