Add Common tenant to meta tenant identifiers and check for TenantId n…

…ot to match when obtaining token via client_credentials flow. Fixes AzureAD#793
hajekj · Dec 1, 2020 · 8b61888 · 8b61888
1 parent 3b3698f
commit 8b61888
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/Microsoft.Identity.Web/TokenAcquisition.cs b/src/Microsoft.Identity.Web/TokenAcquisition.cs
@@ -86,6 +86,7 @@ public TokenAcquisition(
         private readonly ISet<string> _metaTenantIdentifiers = new HashSet<string>(
             new[]
             {
+                Constants.Common,
                 Constants.Organizations,
                 Constants.Consumers,
             },
@@ -276,6 +277,11 @@ public async Task<string> GetAccessTokenForAppAsync(
                 throw new ArgumentException(IDWebErrorMessage.ClientCredentialTenantShouldBeTenanted, nameof(tenant));
             }
 
+            if (!string.IsNullOrEmpty(_microsoftIdentityOptions.TenantId) && _metaTenantIdentifiers.Contains(_microsoftIdentityOptions.TenantId))
+            {
+                throw new ArgumentException(IDWebErrorMessage.ClientCredentialTenantShouldBeTenanted, nameof(_microsoftIdentityOptions.TenantId));
+            }
+
             // Use MSAL to get the right token to call the API
             _application = await GetOrBuildConfidentialClientApplicationAsync().ConfigureAwait(false);
             string authority = CreateAuthorityBasedOnTenantIfProvided(_application, tenant);