ConfidentialClient - service to service (AcquireTokenForClient)
Is this a new or an existing app?
The app is in production, I haven't upgraded MSAL, but started seeing this issue
Issue description and reproduction steps
A user in MoonCake is getting an error with our SDK when it reaches MSAL’s validation that the authority URL is in the TRUSTED_HOSTS_SET allow-list. The issue is that we map the user’s destination URL to https://login.partner.microsoftonline.cn, whereas TRUSTED_HOSTS_SET only allows https://login.chinacloudapi.cn for MoonCake. I looked at various docs and code throughout Azure products, and though it seems the URL you use is more common, it seems the other URL is valid as well. Further supporting that they’re both valid, my understanding is https://login.partner.microsoftonline.cn was used as an alias for https://login.chinacloudapi.cn, and the discovery endpoint (/common/.well-known/openid-configuration) for both resolve to identical configurations, other than the hostname aliases.
No error is thrown. Instead, the default AAD authority URL (login.microsoftonline.com) is returned, which our ADX SDK code then unsuccessfully tries to use for the customer’s MoonCake cluster.
We therefore request support be added for the other URL as well.
Library version used
1.15.0
Java version
8
Scenario
ConfidentialClient - service to service (AcquireTokenForClient)
Is this a new or an existing app?
The app is in production, I haven't upgraded MSAL, but started seeing this issue
Issue description and reproduction steps
A user in MoonCake is getting an error with our SDK when it reaches MSAL’s validation that the authority URL is in the TRUSTED_HOSTS_SET allow-list. The issue is that we map the user’s destination URL to https://login.partner.microsoftonline.cn, whereas TRUSTED_HOSTS_SET only allows https://login.chinacloudapi.cn for MoonCake. I looked at various docs and code throughout Azure products, and though it seems the URL you use is more common, it seems the other URL is valid as well. Further supporting that they’re both valid, my understanding is https://login.partner.microsoftonline.cn was used as an alias for https://login.chinacloudapi.cn, and the discovery endpoint (/common/.well-known/openid-configuration) for both resolve to identical configurations, other than the hostname aliases.
No error is thrown. Instead, the default AAD authority URL (login.microsoftonline.com) is returned, which our ADX SDK code then unsuccessfully tries to use for the customer’s MoonCake cluster.
We therefore request support be added for the other URL as well.
Issue is present in v1.9.0, v1.13.10 and v1.15.0
Relevant code snippets
No response
Expected behavior
AAD authority URL https://login.partner.microsoftonline.cn should be in the allow-list, so that when it's passed it, it's returned back.
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
No response