Merge branch 'master' into lozensky/AuthorityHttpsCheck

Author: jmprieur

.github/workflows/dotnetcore.yml

@@ -56,25 +56,25 @@ jobs:
         dotnet tool install -g dotnet-reportgenerator-globaltool --version 5.4.1
         reportgenerator -reports:./**/coverage.cobertura.xml -targetdir:CodeCoverage -reporttypes:'MarkdownSummaryGithub;Cobertura' -filefilters:'+src/**/*.cs'
 
-    - name: Write coverage to job summary
-      shell: bash
-      run: |
-        cat CodeCoverage/SummaryGithub.md >> $GITHUB_STEP_SUMMARY
-        echo "COMMENT_CONTENT_ENV_VAR<<EOF" >> $GITHUB_ENV
-        echo $(cat CodeCoverage/SummaryGithub.md) >> $GITHUB_ENV
-        echo "EOF" >> $GITHUB_ENV
-
-    - name: Comment coverage in PR
-      uses: actions/github-script@v7
-      id: comment
-      with:
-        script: |
-          github.rest.issues.createComment({
-            issue_number: context.issue.number,
-            owner: context.repo.owner,
-            repo: context.repo.repo,
-            body: process.env.COMMENT_CONTENT_ENV_VAR
-          })
+    # - name: Write coverage to job summary
+    #   shell: bash
+    #   run: |
+    #     cat CodeCoverage/SummaryGithub.md >> $GITHUB_STEP_SUMMARY
+    #     echo "COMMENT_CONTENT_ENV_VAR<<EOF" >> $GITHUB_ENV
+    #     echo $(cat CodeCoverage/SummaryGithub.md) >> $GITHUB_ENV
+    #     echo "EOF" >> $GITHUB_ENV
+
+    # - name: Comment coverage in PR
+    #   uses: actions/github-script@v7
+    #   id: comment
+    #   with:
+    #     script: |
+    #       github.rest.issues.createComment({
+    #         issue_number: context.issue.number,
+    #         owner: context.repo.owner,
+    #         repo: context.repo.repo,
+    #         body: process.env.COMMENT_CONTENT_ENV_VAR
+    #       })
 
     - name: Test with .NET 462
       run: dotnet test --no-restore --no-build Microsoft.Identity.Web.sln -f net462 -v normal -p:FROM_GITHUB_ACTION=true --configuration Release --filter "(FullyQualifiedName!~Microsoft.Identity.Web.Test.Integration)&(FullyQualifiedName!~WebAppUiTests)&(FullyQualifiedName!~IntegrationTests)"

src/Microsoft.Identity.Web.DownstreamApi/DownstreamApi.cs

@@ -28,6 +28,7 @@ internal partial class DownstreamApi : IDownstreamApi
         private readonly IOptionsMonitor<DownstreamApiOptions> _namedDownstreamApiOptions;
         private const string Authorization = "Authorization";
         protected readonly ILogger<DownstreamApi> _logger;
+        private const string AuthSchemeDstsSamlBearer = "http://schemas.microsoft.com/dsts/saml2-bearer";
 
         /// <summary>
         /// Constructor.
@@ -522,7 +523,15 @@ public Task<HttpResponseMessage> CallApiForAppAsync(
                        user,
                        cancellationToken).ConfigureAwait(false);
 
-                httpRequestMessage.Headers.Add(Authorization, authorizationHeader);
+                if (authorizationHeader.StartsWith(AuthSchemeDstsSamlBearer, StringComparison.OrdinalIgnoreCase))
+                {
+                    // TryAddWithoutValidation method bypasses strict validation, allowing non-standard headers to be added for custom Header schemes that cannot be parsed.
+                    httpRequestMessage.Headers.TryAddWithoutValidation(Authorization, authorizationHeader);
+                }
+                else
+                {
+                    httpRequestMessage.Headers.Add(Authorization, authorizationHeader);
+                }
             }
             else
             {

tests/Microsoft.Identity.Web.Test/DownstreamWebApiSupport/DownstreamApiTests.cs

@@ -24,14 +24,17 @@ namespace Microsoft.Identity.Web.Tests
     public class DownstreamApiTests
     {
         private readonly IAuthorizationHeaderProvider _authorizationHeaderProvider;
+        private readonly IAuthorizationHeaderProvider _authorizationHeaderProviderSaml;
         private readonly IHttpClientFactory _httpClientFactory;
         private readonly IOptionsMonitor<DownstreamApiOptions> _namedDownstreamApiOptions;
         private readonly ILogger<DownstreamApi> _logger;
         private readonly DownstreamApi _input;
+        private readonly DownstreamApi _inputSaml;
 
         public DownstreamApiTests()
         {
             _authorizationHeaderProvider = new MyAuthorizationHeaderProvider();
+            _authorizationHeaderProviderSaml = new MySamlAuthorizationHeaderProvider();
             _httpClientFactory = new HttpClientFactoryTest();
             _namedDownstreamApiOptions = new MyMonitor();
             _logger = new LoggerFactory().CreateLogger<DownstreamApi>();
@@ -41,6 +44,12 @@ public DownstreamApiTests()
              _namedDownstreamApiOptions,
              _httpClientFactory,
              _logger);
+
+            _inputSaml = new DownstreamApi(
+             _authorizationHeaderProviderSaml,
+             _namedDownstreamApiOptions,
+             _httpClientFactory,
+             _logger);
         }
 
         [Fact]
@@ -123,6 +132,32 @@ public async Task UpdateRequestAsync_WithScopes_AddsAuthorizationHeaderToRequest
             Assert.Equal(options.AcquireTokenOptions.ExtraQueryParameters, DownstreamApi.CallerSDKDetails);
         }
 
+        [Theory]
+        [InlineData(true)]
+        [InlineData(false)]
+
+        public async Task UpdateRequestAsync_WithScopes_AddsSamlAuthorizationHeaderToRequestAsync(bool appToken)
+        {
+            // Arrange
+            var httpRequestMessage = new HttpRequestMessage(HttpMethod.Get, "https://example.com");
+            var content = new StringContent("test content");
+            var options = new DownstreamApiOptions
+            {
+                Scopes = ["scope1", "scope2"],
+                BaseUrl = "https://localhost:44321/WeatherForecast"
+            };
+            var user = new ClaimsPrincipal();
+
+            // Act
+            await _inputSaml.UpdateRequestAsync(httpRequestMessage, content, options, appToken, user, CancellationToken.None);
+
+            // Assert
+            Assert.True(httpRequestMessage.Headers.Contains("Authorization"));
+            Assert.Equal("http://schemas.microsoft.com/dsts/saml2-bearer ey", httpRequestMessage.Headers.GetValues("Authorization").FirstOrDefault());
+            Assert.Equal("application/json", httpRequestMessage.Headers.Accept.Single().MediaType);
+            Assert.Equal(options.AcquireTokenOptions.ExtraQueryParameters, DownstreamApi.CallerSDKDetails);
+        }
+
         [Fact]
         public void SerializeInput_ReturnsCorrectHttpContent()
         {
@@ -420,5 +455,23 @@ public Task<string> CreateAuthorizationHeaderAsync(IEnumerable<string> scopes, A
             return Task.FromResult("Bearer ey");
         }
     }
+
+    public class MySamlAuthorizationHeaderProvider : IAuthorizationHeaderProvider
+    {
+        public Task<string> CreateAuthorizationHeaderForAppAsync(string scopes, AuthorizationHeaderProviderOptions? downstreamApiOptions = null, CancellationToken cancellationToken = default)
+        {
+            return Task.FromResult("http://schemas.microsoft.com/dsts/saml2-bearer ey");
+        }
+
+        public Task<string> CreateAuthorizationHeaderForUserAsync(IEnumerable<string> scopes, AuthorizationHeaderProviderOptions? authorizationHeaderProviderOptions = null, ClaimsPrincipal? claimsPrincipal = null, CancellationToken cancellationToken = default)
+        {
+            return Task.FromResult("http://schemas.microsoft.com/dsts/saml2-bearer ey");
+        }
+
+        public Task<string> CreateAuthorizationHeaderAsync(IEnumerable<string> scopes, AuthorizationHeaderProviderOptions? authorizationHeaderProviderOptions = null, ClaimsPrincipal? claimsPrincipal = null, CancellationToken cancellationToken = default)
+        {
+            return Task.FromResult("http://schemas.microsoft.com/dsts/saml2-bearer ey");
+        }
+    }
 }