Add correct audience to token for non Azure public clouds (#593)

src/main/java/com/microsoft/jenkins/azuread/AzureSecurityRealm.java

@@ -140,7 +140,8 @@ public AccessToken getAccessToken() {
         ClientSecretCredential clientSecretCredential = getClientSecretCredential();
 
         TokenRequestContext tokenRequestContext = new TokenRequestContext();
-        tokenRequestContext.setScopes(singletonList("https://graph.microsoft.com/.default"));
+        String graphResource = AzureEnvironment.getGraphResource(getAzureEnvironmentName());
+        tokenRequestContext.setScopes(singletonList(graphResource + ".default"));
 
         AccessToken accessToken = clientSecretCredential.getToken(tokenRequestContext).block();
 

src/main/java/com/microsoft/jenkins/azuread/GraphClientCache.java

@@ -10,6 +10,7 @@
 import hudson.ProxyConfiguration;
 import hudson.util.Secret;
 import io.jenkins.plugins.azuresdk.HttpClientRetriever;
+import java.net.URI;
 import jenkins.model.Jenkins;
 import jenkins.util.JenkinsJVM;
 import okhttp3.Credentials;
@@ -21,6 +22,7 @@
 
 import static com.microsoft.jenkins.azuread.AzureEnvironment.AZURE_PUBLIC_CLOUD;
 import static com.microsoft.jenkins.azuread.AzureEnvironment.getAuthorityHost;
+import static com.microsoft.jenkins.azuread.AzureEnvironment.getGraphResource;
 import static com.microsoft.jenkins.azuread.AzureEnvironment.getServiceRoot;
 
 public class GraphClientCache {
@@ -38,7 +40,7 @@ private static GraphServiceClient<Request> createGraphClient(GraphClientCacheKey
         OkHttpClient.Builder builder = HttpClients.createDefault(authProvider)
                 .newBuilder();
 
-        builder = addProxyToHttpClientIfRequired(builder);
+        builder = addProxyToHttpClientIfRequired(builder, key.getAzureEnvironmentName());
         final OkHttpClient graphHttpClient = builder.build();
 
         GraphServiceClient<Request> graphServiceClient = GraphServiceClient
@@ -79,11 +81,13 @@ public static GraphServiceClient<Request> getClient(AzureSecurityRealm azureSecu
         return TOKEN_CACHE.get(key);
     }
 
-    public static OkHttpClient.Builder addProxyToHttpClientIfRequired(OkHttpClient.Builder builder) {
+    public static OkHttpClient.Builder addProxyToHttpClientIfRequired(OkHttpClient.Builder builder, String azureEnvironmentName) {
         if (JenkinsJVM.isJenkinsJVM()) {
             ProxyConfiguration proxyConfiguration = Jenkins.get().getProxy();
             if (proxyConfiguration != null && StringUtils.isNotBlank(proxyConfiguration.getName())) {
-                Proxy proxy = proxyConfiguration.createProxy("graph.microsoft.com");
+
+                String graphHost = URI.create(getGraphResource(azureEnvironmentName)).getHost();
+                Proxy proxy = proxyConfiguration.createProxy(graphHost);
 
                 builder = builder.proxy(proxy);
                 if (StringUtils.isNotBlank(proxyConfiguration.getUserName())) {

src/main/java/com/microsoft/jenkins/azuread/GraphProxy.java

@@ -165,7 +165,12 @@ private void proxy(StaplerRequest request, StaplerResponse response) throws IOEx
     private OkHttpClient getClient() {
         ProxyConfiguration proxyConfiguration = Jenkins.get().getProxy();
         if (proxyConfiguration != null && StringUtils.isNotBlank(proxyConfiguration.getName())) {
-            return addProxyToHttpClientIfRequired(new OkHttpClient().newBuilder()).build();
+            SecurityRealm securityRealm = Jenkins.get().getSecurityRealm();
+            AzureSecurityRealm azureSecurityRealm = ((AzureSecurityRealm) securityRealm);
+
+            String azureEnvironmentName = azureSecurityRealm.getAzureEnvironmentName();
+
+            return addProxyToHttpClientIfRequired(new OkHttpClient().newBuilder(), azureEnvironmentName).build();
         }
         return DEFAULT_CLIENT;
     }