When doing an OBO, if no tenant is specified, it should be possible to set the tenant to the user tenant (from the tid claim). This will come as a GUID, whereas the authority, in the case of CIAM, is a domain name.
This is blocking Microsoft.Identity.Web OBO samples for CIAM,.
Logs and network traces
Microsoft.Identity.Client.dll!Microsoft.Identity.Client.AbstractAcquireTokenParameterBuilder<Microsoft.Identity.Client.AcquireTokenOnBehalfOfParameterBuilder>.WithTenantId(string tenantId) Line 272 C#
Microsoft.Identity.Web.TokenAcquisition.dll!Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForWebApiToCallDownstreamApiAsync(Microsoft.Identity.Client.IConfidentialClientApplication application, string tenantId, System.Collections.Generic.IEnumerable scopes, Microsoft.Identity.Web.TokenAcquisitionOptions tokenAcquisitionOptions, Microsoft.Identity.Web.MergedOptions mergedOptions) Line 727 C#
Microsoft.Identity.Web.TokenAcquisition.dll!Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForUserAsync(System.Collections.Generic.IEnumerable scopes, string authenticationScheme, string tenantId, string userFlow, System.Security.Claims.ClaimsPrincipal user, Microsoft.Identity.Web.TokenAcquisitionOptions tokenAcquisitionOptions) Line 243 C#
Microsoft.Identity.Web.TokenAcquisition.dll!Microsoft.Identity.Web.TokenAcquisition.GetAccessTokenForUserAsync(System.Collections.Generic.IEnumerable scopes, string authenticationScheme, string tenantId, string userFlow, System.Security.Claims.ClaimsPrincipal user, Microsoft.Identity.Web.TokenAcquisitionOptions tokenAcquisitionOptions) Line 500 C#
Microsoft.Identity.Web.TokenAcquisition.dll!Microsoft.Identity.Web.ITokenAcquisition.GetAccessTokenForUserAsync(System.Collections.Generic.IEnumerable scopes, string tenantId, string userFlow, System.Security.Claims.ClaimsPrincipal user, Microsoft.Identity.Web.TokenAcquisitionOptions tokenAcquisitionOptions) Line 42 C#
TodoListService.dll!TodoListService.Controllers.TodoListController.GetAsync() Line 57 C#
Which version of MSAL.NET are you using?
4.54.1
What authentication flow has the issue?
* [ x] On-Behalf-Of
Other?
With a CIAM authority
Is this a new or existing app?
ClaimsPrincipal? user = _tokenAcquisitionHost.GetUserFromRequest();
var userTenant = string.Empty;
if (user != null)
{
userTenant = user.GetTenantId();
builder.WithCcsRoutingHint(user.GetObjectId(), userTenant);
}
if (!string.IsNullOrEmpty(tenantId))
{
builder.WithTenantId(tenantId);
}
else
{
if (!string.IsNullOrEmpty(userTenant))
{
builder.WithTenantId(userTenant);
}
}Actual behavior
Exception:
Microsoft.Identity.Client.MsalClientException: 'WithTenantId can only be used when an AAD authority is specified at the application level.'
Expected behavior
It should be possible to override the tenant with a CIAM authority.
It's not up to MSAL.NET to decide if the IdP will reject it or not (it won't in that case)
Possible solution
AuthorityInfo.IsTenantOverrideSupported shoud be set to true for CIAM authority
Additional context / logs / screenshots / links to code
When doing an OBO, if no tenant is specified, it should be possible to set the tenant to the user tenant (from the tid claim). This will come as a GUID, whereas the authority, in the case of CIAM, is a domain name.
This is blocking Microsoft.Identity.Web OBO samples for CIAM,.
Logs and network traces
Which version of MSAL.NET are you using?
4.54.1
What authentication flow has the issue?
* [ x] On-Behalf-Of
Other?
With a CIAM authority
Is this a new or existing app?
Actual behavior
Exception:
Microsoft.Identity.Client.MsalClientException: 'WithTenantId can only be used when an AAD authority is specified at the application level.'Expected behavior
It should be possible to override the tenant with a CIAM authority.
It's not up to MSAL.NET to decide if the IdP will reject it or not (it won't in that case)
Possible solution
AuthorityInfo.IsTenantOverrideSupportedshoud be set to true for CIAM authorityAdditional context / logs / screenshots / links to code