Merge branch 'master' into trwalke/ExtraParameteAttributes

Author: trwalke

src/Microsoft.Identity.Web.AgentIdentities/AgentUserIdentityMsalAddIn.cs

@@ -44,7 +44,7 @@ internal static Task OnBeforeUserFicForAgentUserIdentityAsync(
                         string authenticationScheme = authenticationSchemeInformationProvider.GetEffectiveAuthenticationScheme(options.AuthenticationOptionsName);
                         ITokenAcquirer tokenAcquirer = tokenAcquirerFactory.GetTokenAcquirer(authenticationScheme);
                         ITokenAcquirer agentApplicationTokenAcquirer = tokenAcquirerFactory.GetTokenAcquirer();
-                        AcquireTokenResult aaFic = await agentApplicationTokenAcquirer.GetFicTokenAsync(new() { FmiPath = agentIdentity }); // Uses the regular client credentials
+                        AcquireTokenResult aaFic = await agentApplicationTokenAcquirer.GetFicTokenAsync(new() { Tenant = options.Tenant, FmiPath = agentIdentity }); // Uses the regular client credentials
                         string? clientAssertion = aaFic.AccessToken;
 
                         // Get the FIC token for the agent identity.
@@ -54,9 +54,9 @@ internal static Task OnBeforeUserFicForAgentUserIdentityAsync(
                             ClientId = agentIdentity,
                             Instance = microsoftIdentityApplicationOptions.Instance,
                             Authority = microsoftIdentityApplicationOptions.Authority,
-                            TenantId = microsoftIdentityApplicationOptions.TenantId
+                            TenantId = options.Tenant ?? microsoftIdentityApplicationOptions.TenantId
                         });
-                        AcquireTokenResult aidFic = await agentIdentityTokenAcquirer.GetFicTokenAsync(clientAssertion: clientAssertion); // Uses the agent identity
+                        AcquireTokenResult aidFic = await agentIdentityTokenAcquirer.GetFicTokenAsync(options: new() { Tenant = options.Tenant }, clientAssertion: clientAssertion); // Uses the agent identity
                         string? userFicAssertion = aidFic.AccessToken;
 
                         // Already in the request:

src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs

@@ -267,6 +267,7 @@ public async Task<AuthenticationResult> GetAuthenticationResultForUserAsync(
                 // If the user is not null and has claims xms-username and xms-password, perform ROPC for CCA
                 authenticationResult = await TryGetAuthenticationResultForConfidentialClientUsingRopcAsync(
                     application,
+                    tenantId,
                     scopes,
                     user,
                     mergedOptions,
@@ -338,7 +339,13 @@ public async Task<AuthenticationResult> GetAuthenticationResultForUserAsync(
         }
 
         // This method mutate the user claims to include claims uid and utid to perform the silent flow for subsequent calls.
-        private async Task<AuthenticationResult?> TryGetAuthenticationResultForConfidentialClientUsingRopcAsync(IConfidentialClientApplication application, IEnumerable<string> scopes, ClaimsPrincipal? user, MergedOptions mergedOptions, TokenAcquisitionOptions? tokenAcquisitionOptions)
+        private async Task<AuthenticationResult?> TryGetAuthenticationResultForConfidentialClientUsingRopcAsync(
+            IConfidentialClientApplication application,
+            string? tenantId,
+            IEnumerable<string> scopes,
+            ClaimsPrincipal? user,
+            MergedOptions mergedOptions,
+            TokenAcquisitionOptions? tokenAcquisitionOptions)
         {
             string? username = null;
             string? password = null;
@@ -426,6 +433,11 @@ public async Task<AuthenticationResult> GetAuthenticationResultForUserAsync(
                 {
                     builder.WithSignedHttpRequestProofOfPossession(tokenAcquisitionOptions.PoPConfiguration);
                 }
+
+                if (!string.IsNullOrEmpty(tenantId))
+                {
+                    builder.WithTenantId(tenantId);
+                }
             }
 
             var authenticationResult = await builder.ExecuteAsync().ConfigureAwait(false);

tests/E2E Tests/AgentApplications/AgentUserIdentityTestscs.cs

@@ -64,6 +64,62 @@ public async Task AgentUserIdentityGetsTokenForGraphAsync()
 #endif
         }
 
+        [Fact]
+        public async Task AgentUserIdentityGetsTokenForGraphWithTenantOverrideAsync()
+        {
+            string instance = "https://login.microsoftonline.com/";
+            string tenantId = "31a58c3b-ae9c-4448-9e8f-e9e143e800df";         // Replace with your tenant ID
+            string agentApplication = "d15884b6-a447-4dd5-a5a5-a668c49f6300"; // Replace with the actual agent application client ID
+            string agentIdentity = "d84da24a-2ea2-42b8-b5ab-8637ec208024";    // Replace with the actual agent identity
+            string userUpn = "aui1@msidlabtoint.onmicrosoft.com";             // Replace with the actual user upn.
+
+            IServiceCollection services = new ServiceCollection();
+
+            // Configure the information about the agent application
+            services.Configure<MicrosoftIdentityApplicationOptions>(
+                options =>
+                {
+                    options.Instance = instance;
+                    options.TenantId = "common"; // Replace with your tenant ID
+                    options.ClientId = agentApplication; // Agent application.
+                    options.ClientCredentials = [
+                        CertificateDescription.FromStoreWithDistinguishedName(
+                            "CN=LabAuth.MSIDLab.com", StoreLocation.LocalMachine, StoreName.My)
+                    ];
+                });
+            IServiceProvider serviceProvider = services.ConfigureServicesForAgentIdentitiesTests();
+
+            // Get an authorization header and handle the call to the downstream API yourself
+            IAuthorizationHeaderProvider authorizationHeaderProvider = serviceProvider.GetService<IAuthorizationHeaderProvider>()!;
+            AuthorizationHeaderProviderOptions options = new AuthorizationHeaderProviderOptions().WithAgentUserIdentity(
+                agentApplicationId: agentIdentity,
+                username: userUpn
+                );
+            options.AcquireTokenOptions.Tenant = tenantId;
+
+            string authorizationHeaderWithUserToken = await authorizationHeaderProvider.CreateAuthorizationHeaderForUserAsync(
+                scopes: ["https://graph.microsoft.com/.default"],
+                options);
+            Assert.NotNull(authorizationHeaderWithUserToken);
+
+            // If you want to call Microsoft Graph, just inject and use the Microsoft Graph SDK with the agent identity.
+            GraphServiceClient graphServiceClient = serviceProvider.GetRequiredService<GraphServiceClient>();
+            var me = await graphServiceClient.Me.GetAsync(r => r.Options.WithAuthenticationOptions(options =>
+            {
+                options.WithAgentUserIdentity(agentIdentity, userUpn);
+                options.AcquireTokenOptions.Tenant = tenantId;
+            }));
+            Assert.NotNull(me);
+
+#if DOWNSTREAM
+            // If you want to call downstream APIs letting IdWeb handle authentication.
+            IDownstreamApi downstream = serviceProvider.GetService<IDownstreamApi>()!;
+            string? response = await downstream.GetForAppAsync<string>("api", options => options.WithAgentIdentity("your-agent-identity-here"));
+            response = await downstream.GetForUserAsync<string>("api", options => options.WithAgentIdentity("your-agent-identity-here"));
+#endif
+        }
+
+
         [Fact]
         public async Task AgentUserIdentityGetsTokenForGraphWithCacheAsync()
         {