Remove check on known hosts and adjust error message towards regular authority API

Avery-Dunn · Avery-Dunn · commit 2b697fcfb39c · 2025-07-24T14:31:20.000-07:00
diff --git a/msal/authority.py b/msal/authority.py
@@ -108,6 +108,9 @@ def __init__(
                 "The issuer '{iss}' does not match the authority '{auth}' or a known pattern. "
                 "When using the 'oidc_authority' parameter in ClientApplication, the authority "
                 "will be validated against the issuer from {auth}/.well-known/openid-configuration ."
+                "If using a known Entra authority (e.g. login.microsoftonline.com) the "
+                "'authority' parameter should be used instead of 'oidc_authority'. "
+                ""
             ).format(iss=self._issuer, auth=oidc_authority_url))
     def _initialize_oidc_authority(self, oidc_authority_url):
         authority, self.instance, tenant = canonicalize(oidc_authority_url)
@@ -189,7 +192,6 @@ def has_valid_issuer(self) -> bool:
 
             An issuer is valid if one of the following is true:
             - It exactly matches the authority URL
-            - It has a known Microsoft host (e.g., login.microsoftonline.com)
             - It has the same scheme and host as the authority (path can be different)
             - For CIAM, the issuer follows the pattern of {tenant}.ciamlogin.com (tenant comes from the authority)
             """
@@ -201,10 +203,6 @@ def has_valid_issuer(self) -> bool:
         if not issuer:
             return False
 
-        # Check if issuer has a known Microsoft host
-        if issuer.hostname in WELL_KNOWN_AUTHORITY_HOSTS:
-            return True
-
         # Check if issuer has the same scheme and host as the authority
         authority = urlparse(self._oidc_authority_url)
         if authority.scheme == issuer.scheme and authority.netloc == issuer.netloc:
diff --git a/tests/test_authority.py b/tests/test_authority.py
@@ -328,14 +328,6 @@ def test_no_issuer(self, tenant_discovery_mock):
             Authority(None, self.http_client, oidc_authority_url=authority_url)
         self.assertIn("issuer", str(context.exception).lower())
 
-    @patch("msal.authority.tenant_discovery")
-    def test_microsoft_host_issuer(self, tenant_discovery_mock):
-        """Test when issuer has a known Microsoft host"""
-        authority_url = "https://custom-domain.com/tenant"
-        issuer = f"https://{WORLD_WIDE}/tenant"
-        authority = self._create_authority_with_issuer(authority_url, issuer, tenant_discovery_mock)
-        self.assertTrue(authority.has_valid_issuer(), "Issuer should be valid when it has a known Microsoft host")
-    
     @patch("msal.authority.tenant_discovery")
     def test_same_scheme_and_host_different_path(self, tenant_discovery_mock):
         """Test when issuer has same scheme and host but different path"""
@@ -377,3 +369,46 @@ def test_invalid_issuer(self, tenant_discovery_mock):
         self.assertIn("issuer", str(context.exception).lower())
         self.assertIn(issuer, str(context.exception))
         self.assertIn(authority_url, str(context.exception))
+
+    @patch("msal.authority.tenant_discovery")
+    def test_custom_authority_with_microsoft_issuer(self, tenant_discovery_mock):
+        """Test when custom authority is used with a known Microsoft issuer (should fail)"""
+        authority_url = "https://custom-domain.com/tenant"
+        issuer = f"https://{WORLD_WIDE}/tenant"
+
+        tenant_discovery_mock.return_value = {
+            "authorization_endpoint": "https://example.com/oauth2/authorize",
+            "token_endpoint": "https://example.com/oauth2/token",
+            "issuer": issuer,
+        }
+
+        # Since initialization now checks for valid issuer and we removed the check for known hosts,
+        # we expect it to raise ValueError because the hosts don't match
+        with self.assertRaises(ValueError) as context:
+            Authority(None, self.http_client, oidc_authority_url=authority_url)
+
+        self.assertIn("issuer", str(context.exception).lower())
+        self.assertIn(issuer, str(context.exception))
+        self.assertIn(authority_url, str(context.exception))
+
+    @patch("msal.authority.tenant_discovery")
+    def test_known_authority_with_non_matching_issuer(self, tenant_discovery_mock):
+        """Test when known authority is used with an issuer that doesn't match (should fail)"""
+        # Known Microsoft authority URLs
+        authority_url = f"https://{WORLD_WIDE}/tenant"
+        issuer = "https://custom-domain.com/tenant"
+
+        tenant_discovery_mock.return_value = {
+            "authorization_endpoint": "https://example.com/oauth2/authorize",
+            "token_endpoint": "https://example.com/oauth2/token",
+            "issuer": issuer,
+        }
+
+        # We expect it to raise ValueError because the paths don't match
+        # and we're now checking for exact matches
+        with self.assertRaises(ValueError) as context:
+            Authority(None, self.http_client, oidc_authority_url=authority_url)
+
+        self.assertIn("issuer", str(context.exception).lower())
+        self.assertIn(issuer, str(context.exception))
+        self.assertIn(authority_url, str(context.exception))
