-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support CIAM custom URL domains #2029
Conversation
…ureAD/microsoft-authentication-library-for-android into sammy/ciam-custom-url-domains
…tAuthority use OIDC endpoints
# Conflicts: # common
…nantID in path rather than tenantName.
// be a custom-URL-domain variant, which won't contain ciamlogin.com. | ||
// Note: this will work as long as the issuer for CUD doesn't change, which it will | ||
// in the future. See https://identitydivision.visualstudio.com/Engineering/_workitems/edit/2832277 | ||
if (iss.contains(CIAMAuthority.CIAM_LOGIN_URL_SEGMENT) && !StringUtil.isEmpty(getEnvironment()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment is a little confusing, so we know the issuer will change eventually? Linked Item has no description
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's highly likely that the issuer will change, yes. But the full scope and business requirements of that effort are unknown (as well as timeline), so it doesn't make sense to optimise for that now.
Indeed the ADO ticket has no description; it's been difficult to get clarity on this from the owning PM and EM. They're working on other more high priority stuff.
Let me know if there is a better way to deal with this.
This PR adds support for CIAM custom URL domains (CUD), through addressing the following: 1. A new way of composing authority URL, with format `https://<tenantName>.ciamlogin.com/<tenantId>` or `https://custom.domain.com/<tenantId>` to allow for OIDC lookup. 2. Token endpoint is taken from OIDC document, if available. (authorization endpoint was already taken from OIDC document) MSAL PR: AzureAD/microsoft-authentication-library-for-android#2029
This PR adds support for CIAM custom URL domains (CUD), through addressing the following:
Account.getAuthority()
looks at theiss
claim to determine whether an authority is of type CIAM.Since CIAM token issuer split, the issuer claim will contain
ciamlogin.com
.Note: this solution will work as long as the issuer of a CUD is not updated to reflect the custom domain. This will happen, in +- 1 year.
Account.getAuthority()
returns a CIAM authority with URL formathttps://<authorityUrl>/<tenantId>
(e.g.https://custom.domain.com/<tenantId>
orhttps://<tenantName>.ciamlogin.com/<tenantId>
), rather than the previoushttps://<authorityUrl>/<tenantName>.onmicrosoft.com
. The latter can't be used to compose OpenID connect URL for CUD variants.Note: no E2E tests can be built for this feature yet, as the Labs environment is not set up. This is an ongoing effort (by Sammy and Ryan), see: https://identitydivision.visualstudio.com/Engineering/_dashboards/dashboard/4398d9a6-a49b-4a4a-a9b8-58ca2d24c6ab
MSAL common PR: AzureAD/microsoft-authentication-library-common-for-android#2314