[Feature Request] Cross cloud B2B scenarios are supported by MSAL

[Joel-Intact]

Which Version of MSAL are you using ?
MSAL - Microsoft.Identity.Client 4.20.1

Platform
UWP

What authentication flow has the issue?

• Desktop / Mobile
  • Interactive
  • Integrated Windows Auth
  • Username Password
  • Device code flow (browserless)
• Web App
  • Authorization code
  • OBO
• Web API
  • OBO

Other? - please describe;

Is this a new or existing app?
The app is in production, I haven't upgraded MSAL, but started seeing this issue

Repro

    _publicClientApp = PublicClientApplicationBuilder
        .Create(clientId)
        .Build();

    tokenResult = await _publicClientApp.AcquireTokenInteractive(scopes)
        .ExecuteAsync();

Expected behavior
Receive an successful AuthenticationResult with an AccessToken.

Actual behavior
Exception is thrown:

AADSTS900384: JWT token failed signature validation [Reason - The provided signature value did not match the expected signature value., Thumbprint of key used by client: 'thumbprint omitted - can provide upon request', Found key 'Start=09/13/2020 00:00:00, End=09/13/2025 00:00:00']
Trace ID: 707effe4-1eaf-4339-b63e-0194607b0100
Correlation ID: b7b39ffc-78dc-4927-9b52-c907090735e7
Timestamp: 2020-10-16 10:32:31Z

Possible Solution
Please see below.

Additional context/ Logs / Screenshots
Important details:

• The application registration lives in a global cloud tenant.
• This happens when logging in with accounts that are created in a US Gov tenant (global cloud tenants are fine).

Comparison for possible solution:

• This scenario works without issues with the Microsoft.Identity.Web nuget package in an MVC project

Stacktrace:

at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)
at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response, RequestContext requestContext)
at Microsoft.Identity.Client.OAuth2.OAuth2Client.d__111.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.OAuth2.OAuth2Client.<GetTokenAsync>d__10.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.OAuth2.TokenClient.<SendHttpAndClearTelemetryAsync>d__8.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Microsoft.Identity.Client.OAuth2.TokenClient.<SendHttpAndClearTelemetryAsync>d__8.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.OAuth2.TokenClient.<SendTokenRequestAsync>d__5.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.<GetTokenResponseAsync>d__11.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.<ExecuteAsync>d__8.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__14.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.<ExecuteAsync>d__2.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult()
at Intact.PowerLine.ReAccess.ViewModels.AuthenticationViewModel.d__44.MoveNext() in C:\Users\Joel\source\repos\PowerLineReAccess\Intact.PowerLine.ReAccess\ViewModels\AuthenticationViewModel.cs:line 339

[bgavrilMS]

I'm not sure why it works with Microsoft.Identity.Web. As far as I know, this is a feature called "multi cloud support" that is not currently implemented in MSAL. @jmprieur @henrik-me ?

[bgavrilMS]

Marking as a feature request, because MSAL does not support cross-cloud scenarios at this point in time.

[jmprieur]

This would mean that the first part of the auth code flow for confidential client works?
@Joel-Intact : which authority do you use with Microsoft.Identity.Web? MVC, do you mean ASP.NET Core with an MVC web app?

[Joel-Intact]

Correct, ASP.NET Core with MVC. I'm using login.microsoftonline.com/common, below is the AzureAd config section.

  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "TenantId": "common",
    "Domain": "azurepowerline.com",
    "ClientId": "the client id...",
    "CallbackPath": "/signin-oidc",
    "SignedOutCallbackPath ": "/signout-callback-oidc"
  }

[jmprieur]

This is something that Microsoft.Identity.Web multiple authentication scheme should solve
Closing as a duplicate of AzureAD/microsoft-identity-web#955