search

Azure-Samples / ms-identity-aspnet-webapp-openidconnect

A sample showcasing how to develop a web application that handles sign on via the unified Azure AD and MSA endpoint, so that users can sign in using both their work/school account or Microsoft account. The sample also shows how to use MSAL to obtain a token for invoking the Microsoft Graph, as well as incrementental consent.
MIT License
171 stars 72 forks source link

GetAccountAsync does not work with Guest account in single tenant configuration #46

Open lybax opened 3 years ago

lybax commented 3 years ago

Hi,

I'm using this sample because it's the closest to our application, i.e. using .NET Framework. Our requirement is to support external user (guest account) authentication on our AAD tenant. The authorization is performed on AD groups assigned to these guest accounts in our AAD tenant. Therefore, we need to configure the application in single tenant mode (using our tenant id), otherwise the access token will be issued by the guest account's tenant and the call to Microsoft Graph API to retrieve authenticated user's AD groups will be performed on the tenant of the user instead of ours.

The problem is that in single tenant mode, the ClaimsPrincipal.Current.GetAccountId() does not return the same value as the TokenCacheNotificationArgs.SuggestedCacheKey :

Indeed, GetAccountId returns the "objectId.tenantId" from our AAD tenant, whereas the SuggestedCacheKey manages for some reason (couldn't find out how) to retrieve the correct HomeAccountId of the user's tenant. As a result, GetAccountAsync returns null and AcquireTokenSilent doesn't work.

Thank you for your help.

jmprieur commented 3 years ago

@jennyf19. We also need to improve this sample by adding a call to the user info endpoint. It seems we'd better have Microsoft.Identity.Web support ASP.NET directly