Fix validating B2C issuer with tfp in issuer URI. (#340)

* Fix validating B2C issuer with tfp in issuer URI.
AzureAD · Aug 5, 2020 · d33ab13 · d33ab13
1 parent 2c32d37
commit d33ab13
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 4 deletions.
diff --git a/src/Microsoft.Identity.Web/Constants/IDWebErrorMessage.cs b/src/Microsoft.Identity.Web/Constants/IDWebErrorMessage.cs
@@ -33,6 +33,7 @@ internal static class IDWebErrorMessage
         public const string IssuerMetadataUrlIsRequired = "IDW10301: Azure AD Issuer metadata address URL is required. ";
         public const string NoMetadataDocumentRetrieverProvided = "IDW10302: No metadata document retriever is provided. ";
         public const string IssuerDoesNotMatchValidIssuers = "IDW10303: Issuer: '{0}', does not match any of the valid issuers provided for this application. ";
+        public const string B2CTfpIssuerNotSupported = "IDW10304: Microsoft Identity Web does not support a B2C issuer with 'tfp' in the URI. See https://aka.ms/ms-id-web/b2c-issuer for details.";
 
         // Protocol IDW10400 = "IDW10400:"
         public const string TenantIdClaimNotPresentInToken = "IDW10401: Neither `tid` nor `tenantId` claim is present in the token obtained from Microsoft identity platform. ";

diff --git a/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml b/src/Microsoft.Identity.Web/Microsoft.Identity.Web.xml
diff --git a/src/Microsoft.Identity.Web/Resource/AadIssuerValidator.cs b/src/Microsoft.Identity.Web/Resource/AadIssuerValidator.cs
@@ -199,7 +199,11 @@ private static string GetTenantIdFromToken(SecurityToken securityToken)
             return string.Empty;
         }
 
-        // The AAD "iss" claims contains the tenant ID in its value. The URI is {domain}/{tid}/v2.0
+        // The AAD "iss" claims contains the tenant ID in its value.
+        // The URI can be
+        // - {domain}/{tid}/v2.0
+        // - {domain}/{tid}/v2.0/
+        // - {domain}/{tfp}/{tid}/{userFlow}/v2.0/
         private static string GetTenantIdFromIss(string iss)
         {
             if (string.IsNullOrEmpty(iss))
@@ -209,11 +213,19 @@ private static string GetTenantIdFromIss(string iss)
 
             var uri = new Uri(iss);
 
-            if (uri.Segments.Length > 1)
+            if (uri.Segments.Length == 3)
             {
                 return uri.Segments[1].TrimEnd('/');
             }
 
+            if (uri.Segments.Length == 5 && uri.Segments[1].TrimEnd('/') == ClaimConstants.Tfp)
+            {
+                throw new SecurityTokenInvalidIssuerException(
+                    string.Format(
+                        CultureInfo.InvariantCulture,
+                        IDWebErrorMessage.B2CTfpIssuerNotSupported));
+            }
+
             return string.Empty;
         }
     }

diff --git a/tests/Microsoft.Identity.Web.Test.Common/TestConstants.cs b/tests/Microsoft.Identity.Web.Test.Common/TestConstants.cs
@@ -65,6 +65,7 @@ public static class TestConstants
         public const string B2CIssuer2 = B2CInstance2 + "/" + B2CTenantAsGuid + "/v2.0";
         public const string B2CCustomDomainIssuer = B2CCustomDomainInstance + "/" + B2CTenantAsGuid + "/v2.0";
         public const string Scopes = "openid profile offline_access api://someapi";
+        public const string B2CIssuerTfp = B2CInstance + "/" + ClaimConstants.Tfp + "/" + B2CTenantAsGuid + "/" + B2CSignUpSignInUserFlow + "/v2.0";
 
         // Claims
         public const string ClaimNameTid = "tid";

diff --git a/tests/Microsoft.Identity.Web.Test/Resource/AadIssuerValidatorTests.cs b/tests/Microsoft.Identity.Web.Test/Resource/AadIssuerValidatorTests.cs
@@ -340,5 +340,24 @@ public void Validate_FromCustomB2CAuthority_ValidateSuccessfully()
                     ValidIssuers = new[] { TestConstants.B2CCustomDomainIssuer },
                 });
         }
+
+        [Fact]
+        public void Validate_FromB2CAuthority_WithTfpIssuer_ThrowsException()
+        {
+            Claim issClaim = new Claim(TestConstants.ClaimNameIss, TestConstants.B2CIssuerTfp);
+            JwtSecurityToken jwtSecurityToken = new JwtSecurityToken(issuer: TestConstants.B2CIssuerTfp, claims: new[] { issClaim });
+
+            AadIssuerValidator validator = AadIssuerValidator.GetIssuerValidator(TestConstants.B2CAuthorityWithV2);
+
+            var exception = Assert.Throws<SecurityTokenInvalidIssuerException>(() =>
+                validator.Validate(
+                    TestConstants.B2CIssuerTfp,
+                    jwtSecurityToken,
+                    new TokenValidationParameters()
+                    {
+                        ValidIssuers = new[] { TestConstants.B2CIssuerTfp },
+                    }));
+            Assert.Equal(IDWebErrorMessage.B2CTfpIssuerNotSupported, exception.Message);
+        }
     }
 }