Throw an ArgumentException if tenant is 'common' or 'organizations' f…

…or acquire token for app scenarios (#795) * Add support for tenant selection when using AppOnly Microsoft Graph. * Add Common tenant to meta tenant identifiers and check for TenantId not to match when obtaining token via client_credentials flow. Fixes #793 * Allow client_credentials to function with consumers endpoint. * Explicitly provide tenantId from configuration if not specified when obtaining token via client_credentials. Streamline argument validation.
AzureAD · Dec 2, 2020 · d566dca · d566dca
1 parent 8fa27af
commit d566dca
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/Microsoft.Identity.Web/TokenAcquisition.cs b/src/Microsoft.Identity.Web/TokenAcquisition.cs
@@ -86,8 +86,8 @@ public TokenAcquisition(
         private readonly ISet<string> _metaTenantIdentifiers = new HashSet<string>(
             new[]
             {
+                Constants.Common,
                 Constants.Organizations,
-                Constants.Consumers,
             },
             StringComparer.OrdinalIgnoreCase);
 
@@ -271,6 +271,11 @@ public async Task<string> GetAccessTokenForAppAsync(
                 throw new ArgumentException(IDWebErrorMessage.ClientCredentialScopeParameterShouldEndInDotDefault, nameof(scope));
             }
 
+            if (string.IsNullOrEmpty(tenant))
+            {
+                tenant = _applicationOptions.TenantId ?? _microsoftIdentityOptions.TenantId;
+            }
+
             if (!string.IsNullOrEmpty(tenant) && _metaTenantIdentifiers.Contains(tenant))
             {
                 throw new ArgumentException(IDWebErrorMessage.ClientCredentialTenantShouldBeTenanted, nameof(tenant));