Updating the tool to support CIAM tenants (#2248)

AzureAD · May 22, 2023 · 3b6e42a · 3b6e42a
1 parent 82b1bdf
commit 3b6e42a
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 53 deletions.
diff --git a/tools/app-provisioning-tool/app-provisioning-lib/CodeReaderWriter/CodeWriter.cs b/tools/app-provisioning-tool/app-provisioning-lib/CodeReaderWriter/CodeWriter.cs
@@ -190,9 +190,17 @@ private bool ReplaceInJSonFile(ApplicationParameters reconcialedApplicationParam
                     replacement = reconciledApplicationParameters.TargetFramework;
                     break;
                 case "Application.Authority":
-                    replacement = reconciledApplicationParameters.Authority;
-                    // Blazor b2C
-                    replacement = replacement?.Replace("onmicrosoft.com.b2clogin.com", "b2clogin.com", StringComparison.OrdinalIgnoreCase);
+                    if (reconciledApplicationParameters.IsCiam && reconciledApplicationParameters.Domain!=null)
+                    {
+                        replacement = "https://"
+                            + reconciledApplicationParameters.Domain.Replace(".onmicrosoft.com", ".ciamlogin.com", StringComparison.OrdinalIgnoreCase) + "/";
+                    }
+                    else
+                    {
+                        replacement = reconciledApplicationParameters.Authority;
+                        // Blazor b2C
+                        replacement = replacement?.Replace("onmicrosoft.com.b2clogin.com", "b2clogin.com", StringComparison.OrdinalIgnoreCase);
+                    }
                     break;
                 case "MsalAuthenticationOptions":
                     // Todo generalize with a directive: Ensure line after line, or ensure line

diff --git a/...g-lib/MicrosoftIdentityPlatformApplication/MicrosoftIdentityPlatformApplicationManager.cs b/...g-lib/MicrosoftIdentityPlatformApplication/MicrosoftIdentityPlatformApplicationManager.cs
@@ -474,20 +474,23 @@ private async Task AddPermission(
             }
 
             IEnumerable<string> scopes = g.Select(r => r.Scope.ToLower(CultureInfo.InvariantCulture));
-            var permissionScopes = spWithScopes.Oauth2PermissionScopes
+            var permissionScopes = spWithScopes.Oauth2PermissionScopes?
                 .Where(s => scopes.Contains(s.Value.ToLower(CultureInfo.InvariantCulture)));
 
-            RequiredResourceAccess requiredResourceAccess = new RequiredResourceAccess
+            if (permissionScopes != null)
             {
-                ResourceAppId = spWithScopes.AppId,
-                ResourceAccess = new List<ResourceAccess>(permissionScopes.Select(p =>
-                 new ResourceAccess
-                 {
-                     Id = p.Id,
-                     Type = ScopeType
-                 }))
-            };
-            apiRequests.Add(requiredResourceAccess);
+                RequiredResourceAccess requiredResourceAccess = new RequiredResourceAccess
+                {
+                    ResourceAppId = spWithScopes.AppId,
+                    ResourceAccess = new List<ResourceAccess>(permissionScopes.Select(p =>
+                     new ResourceAccess
+                     {
+                         Id = p.Id,
+                         Type = ScopeType
+                     }))
+                };
+                apiRequests.Add(requiredResourceAccess);
+            }
         }
 
         /// <summary>
@@ -578,15 +581,16 @@ private ApplicationParameters GetEffectiveApplicationParameters(
             Application application,
             ApplicationParameters originalApplicationParameters)
         {
-            bool isB2C = (tenant.TenantType == "AAD B2C") && !originalApplicationParameters.IsCiam;
+            bool isCiam = (tenant.TenantType == "CIAM");
+            bool isB2C = (tenant.TenantType == "AAD B2C");
             var effectiveApplicationParameters = new ApplicationParameters
             {
                 ApplicationDisplayName = application.DisplayName,
                 ClientId = application.AppId,
                 EffectiveClientId = application.AppId,
                 IsAAD = !isB2C,
                 IsB2C = isB2C,
-                IsCiam = originalApplicationParameters.IsCiam,
+                IsCiam = isCiam,
                 HasAuthentication = true,
                 IsWebApi = application.Api != null
                         && (application.Api.Oauth2PermissionScopes != null && application.Api.Oauth2PermissionScopes.Any())

diff --git a/tools/app-provisioning-tool/app-provisioning-lib/Tool/AppProvisioningTool.cs b/tools/app-provisioning-tool/app-provisioning-lib/Tool/AppProvisioningTool.cs
@@ -111,6 +111,19 @@ public AppProvisioningTool(ProvisioningToolOptions provisioningToolOptions)
                 tokenCredential,
                 projectSettings.ApplicationParameters);
 
+            // Add properties for CIAM (Authority instead of Instance)
+            if (effectiveApplicationParameters != null 
+                && effectiveApplicationParameters.IsCiam 
+                && !projectSettings.Replacements.Any(r => r.Property == "AzureAd:Authority"))
+            {
+                Replacement? r = projectSettings.Replacements.FirstOrDefault(r => r.Property == "AzureAd");
+                if (r != null)
+                {
+                    projectSettings.Replacements.Remove(r);
+                    projectSettings.Replacements.Add(new Replacement(r.FilePath, -1, -1, "", "Application.Authority", "AzureAd:Authority"));
+                }
+            }
+
             Summary summary = new Summary();
 
             // Reconciliate code configuration and app registration
@@ -281,22 +294,7 @@ private ProjectAuthenticationSettings InferApplicationParameters(
             // Override with the tools options
             projectSettings.ApplicationParameters.ApplicationDisplayName ??= Path.GetFileName(provisioningToolOptions.CodeFolder);
             projectSettings.ApplicationParameters.ClientId ??= provisioningToolOptions.ClientId;
-
-            // To do: Un-comment when the Graph API returns the right tenant type.
-            // projectSettings.ApplicationParameters.TenantId ??= provisioningToolOptions.TenantId;
-
-
-            WorkaroundCiam(projectSettings.ApplicationParameters, provisioningToolOptions.TenantId);
-            if (projectSettings.ApplicationParameters.IsCiam && !projectSettings.Replacements.Any(r => r.Property == "AzureAd:Authority"))
-            {
-                Replacement? r = projectSettings.Replacements.FirstOrDefault(r => r.Property == "AzureAd");
-                if (r != null)
-                {
-                    projectSettings.Replacements.Remove(r);
-                    projectSettings.Replacements.Add(new Replacement(r.FilePath, -1, -1, "", "Application.Authority", "AzureAd:Authority"));
-                    projectSettings.Replacements.Add(new Replacement(r.FilePath, -1, -1, "", "Application.ExtraQueryParameters", "AzureAd:ExtraQueryParameters"));
-                }
-            }
+            projectSettings.ApplicationParameters.TenantId ??= provisioningToolOptions.TenantId;
             projectSettings.ApplicationParameters.CalledApiScopes ??= provisioningToolOptions.CalledApiScopes;
             if (!string.IsNullOrEmpty(provisioningToolOptions.AppIdUri))
             {
@@ -305,27 +303,6 @@ private ProjectAuthenticationSettings InferApplicationParameters(
             return projectSettings;
         }
 
-        /// <summary>
-        /// Workaround for the Graph API not returning the right Tenant type
-        /// </summary>
-        /// <param name="applicationParameters"></param>
-        /// <param name="tenantId"></param>
-        private void WorkaroundCiam(ApplicationParameters applicationParameters, string? tenantId)
-        {
-            bool isCiam = false;
-            if (!string.IsNullOrWhiteSpace(tenantId) && tenantId.EndsWith(".ciamlogin.com", StringComparison.OrdinalIgnoreCase))
-            {
-                applicationParameters.IsCiam = true;
-                applicationParameters.IsB2C = false;
-                applicationParameters.EffectiveTenantId ??= tenantId.Replace(".ciamlogin.com", ".onmicrosoft.com", StringComparison.OrdinalIgnoreCase);
-            }
-            else
-            {
-                applicationParameters.IsCiam = false;
-                applicationParameters.EffectiveTenantId ??=tenantId ;
-            }
-        }
-
         private TokenCredential GetTokenCredential(ProvisioningToolOptions provisioningToolOptions, string? currentApplicationTenantId)
         {
             DeveloperCredentialsReader developerCredentialsReader = new DeveloperCredentialsReader();

diff --git a/tools/app-provisioning-tool/app-provisioning-tool/Properties/launchSettings.json b/tools/app-provisioning-tool/app-provisioning-tool/Properties/launchSettings.json
@@ -4,6 +4,11 @@
       "commandName": "Project",
       "commandLineArgs": "--tenant-id fabrikamb2c.onmicrosoft.com --susi-policy-id susi",
       "workingDirectory": "C:\\temp\\Provisioning\\ProjectDescriptionReaderTests\\webapp\\SingleOrgtoB2CTest"
+    },
+    "Profile 1": {
+      "commandName": "Project",
+      "commandLineArgs": "--tenant-id JmprieurTrialTenant.onmicrosoft.com",
+      "workingDirectory": "C:\\temp\\webapp2"
     }
   }
 }