Support CIAM custom URL domains #2029
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ureAD/microsoft-authentication-library-for-android into sammy/ciam-custom-url-domains
…tAuthority use OIDC endpoints
# Conflicts: # common
…nantID in path rather than tenantName.
fadidurah
reviewed
Feb 21, 2024
| // be a custom-URL-domain variant, which won't contain ciamlogin.com. | ||
| // Note: this will work as long as the issuer for CUD doesn't change, which it will | ||
| // in the future. See https://identitydivision.visualstudio.com/Engineering/_workitems/edit/2832277 | ||
| if (iss.contains(CIAMAuthority.CIAM_LOGIN_URL_SEGMENT) && !StringUtil.isEmpty(getEnvironment()) |
There was a problem hiding this comment.
Comment is a little confusing, so we know the issuer will change eventually? Linked Item has no description
There was a problem hiding this comment.
It's highly likely that the issuer will change, yes. But the full scope and business requirements of that effort are unknown (as well as timeline), so it doesn't make sense to optimise for that now.
Indeed the ADO ticket has no description; it's been difficult to get clarity on this from the owning PM and EM. They're working on other more high priority stuff.
Let me know if there is a better way to deal with this.
fadidurah
approved these changes
Feb 21, 2024
shahzaibj
approved these changes
Feb 23, 2024
SammyO
added a commit
to AzureAD/microsoft-authentication-library-common-for-android
that referenced
this pull request
Feb 27, 2024
This PR adds support for CIAM custom URL domains (CUD), through addressing the following: 1. A new way of composing authority URL, with format `https://<tenantName>.ciamlogin.com/<tenantId>` or `https://custom.domain.com/<tenantId>` to allow for OIDC lookup. 2. Token endpoint is taken from OIDC document, if available. (authorization endpoint was already taken from OIDC document) MSAL PR: AzureAD/microsoft-authentication-library-for-android#2029
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for CIAM custom URL domains (CUD), through addressing the following:
Account.getAuthority()looks at theissclaim to determine whether an authority is of type CIAM.Since CIAM token issuer split, the issuer claim will contain
ciamlogin.com.Note: this solution will work as long as the issuer of a CUD is not updated to reflect the custom domain. This will happen, in +- 1 year.
Account.getAuthority()returns a CIAM authority with URL formathttps://<authorityUrl>/<tenantId>(e.g.https://custom.domain.com/<tenantId>orhttps://<tenantName>.ciamlogin.com/<tenantId>), rather than the previoushttps://<authorityUrl>/<tenantName>.onmicrosoft.com. The latter can't be used to compose OpenID connect URL for CUD variants.Note: no E2E tests can be built for this feature yet, as the Labs environment is not set up. This is an ongoing effort (by Sammy and Ryan), see: https://identitydivision.visualstudio.com/Engineering/_dashboards/dashboard/4398d9a6-a49b-4a4a-a9b8-58ca2d24c6ab
MSAL common PR: AzureAD/microsoft-authentication-library-common-for-android#2314