Port forward the 1.12.1 hotfix (Azure#46346)

Author: christothes

eng/Packages.Data.props

@@ -153,13 +153,9 @@
     <!-- Other approved packages -->
     <PackageReference Update="Microsoft.Azure.Amqp" Version="2.6.7" />
     <PackageReference Update="Microsoft.Azure.WebPubSub.Common" Version="1.4.0" />
-    <PackageReference Update="Microsoft.Identity.Client" Version="4.62.0" />
-    <PackageReference Update="Microsoft.Identity.Client.Extensions.Msal" Version="4.62.0" />
-    <!--
-      TODO: This package needs to be released as GA and arch-board approved before taking a dependency in any stable SDK library.
-      Currently, it is referenced by Azure.Identity.Broker which is still in beta
-    -->
-    <PackageReference Update="Microsoft.Identity.Client.Broker" Version="4.62.0" />
+    <PackageReference Update="Microsoft.Identity.Client" Version="4.65.0" />
+    <PackageReference Update="Microsoft.Identity.Client.Extensions.Msal" Version="4.65.0" />
+    <PackageReference Update="Microsoft.Identity.Client.Broker" Version="4.65.0" />
 
     <!-- TODO: Make sure this package is arch-board approved -->
     <PackageReference Update="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.35.0" />

sdk/identity/Azure.Identity/CHANGELOG.md

@@ -9,6 +9,7 @@
 ### Bugs Fixed
 
 - Fixed the request sent in `AzurePipelinesCredential` so it doesn't result in a redirect response when an invalid system access token is provided.
+- Updated to version 4.65.0 of Microsoft.Identity.Client to address a bug preventing the use of alternate authority types such as dStS ([4927](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4927)) .
 
 ### Other Changes
 

sdk/identity/Azure.Identity/src/MsalClientBase.cs

@@ -108,5 +108,20 @@ await _clientWithCaeAsyncLock.GetLockOrValueAsync(true, default).ConfigureAwait(
 
             return asyncLock.HasValue ? asyncLock.Value.Cache : null;
         }
+
+        public UriBuilder BuildTenantIdWithAuthorityHost(string tenantId)
+        {
+            UriBuilder uriBuilder = new(AuthorityHost);
+            if (uriBuilder.Path.EndsWith("/"))
+            {
+                uriBuilder.Path += tenantId;
+            }
+            else
+            {
+                uriBuilder.Path = uriBuilder.Path + "/" + tenantId;
+            }
+
+            return uriBuilder;
+        }
     }
 }

sdk/identity/Azure.Identity/src/MsalConfidentialClient.cs

@@ -169,10 +169,7 @@ public virtual async ValueTask<AuthenticationResult> AcquireTokenForClientCoreAs
 
             if (!string.IsNullOrEmpty(tenantId))
             {
-                UriBuilder uriBuilder = new UriBuilder(AuthorityHost)
-                {
-                    Path = tenantId
-                };
+                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);
                 builder.WithTenantIdFromAuthority(uriBuilder.Uri);
             }
             if (!string.IsNullOrEmpty(claims))
@@ -214,10 +211,7 @@ public virtual async ValueTask<AuthenticationResult> AcquireTokenSilentCoreAsync
             var builder = client.AcquireTokenSilent(scopes, account);
             if (!string.IsNullOrEmpty(tenantId))
             {
-                UriBuilder uriBuilder = new UriBuilder(AuthorityHost)
-                {
-                    Path = tenantId
-                };
+                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);
                 builder.WithTenantIdFromAuthority(uriBuilder.Uri);
             }
             if (!string.IsNullOrEmpty(claims))
@@ -260,10 +254,7 @@ public virtual async ValueTask<AuthenticationResult> AcquireTokenByAuthorization
 
             if (!string.IsNullOrEmpty(tenantId))
             {
-                UriBuilder uriBuilder = new UriBuilder(AuthorityHost)
-                {
-                    Path = tenantId
-                };
+                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);
                 builder.WithTenantIdFromAuthority(uriBuilder.Uri);
             }
             if (!string.IsNullOrEmpty(claims))
@@ -306,10 +297,7 @@ public virtual async ValueTask<AuthenticationResult> AcquireTokenOnBehalfOfCoreA
 
             if (!string.IsNullOrEmpty(tenantId))
             {
-                UriBuilder uriBuilder = new UriBuilder(AuthorityHost)
-                {
-                    Path = tenantId
-                };
+                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);
                 builder.WithTenantIdFromAuthority(uriBuilder.Uri);
             }
             if (!string.IsNullOrEmpty(claims))

sdk/identity/Azure.Identity/src/MsalPublicClient.cs

@@ -40,11 +40,9 @@ protected virtual ValueTask<IPublicClientApplication> CreateClientCoreAsync(bool
             string[] clientCapabilities =
                 enableCae ? cp1Capabilities : Array.Empty<string>();
 
-            var authorityUri = new UriBuilder(AuthorityHost.Scheme, AuthorityHost.Host, AuthorityHost.Port, TenantId ?? Constants.OrganizationsTenantId).Uri;
-
             PublicClientApplicationBuilder pubAppBuilder = PublicClientApplicationBuilder
                 .Create(ClientId)
-                .WithAuthority(authorityUri)
+                .WithAuthority(AuthorityHost.AbsoluteUri, TenantId ?? Constants.OrganizationsTenantId, false)
                 .WithHttpClientFactory(new HttpPipelineClientFactory(Pipeline.HttpPipeline))
                 .WithLogging(AzureIdentityEventSource.Singleton, enablePiiLogging: IsSupportLoggingEnabled);
 
@@ -124,10 +122,7 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenSilentCoreAs
             }
             if (tenantId != null)
             {
-                UriBuilder uriBuilder = new UriBuilder(AuthorityHost)
-                {
-                    Path = TenantId ?? tenantId
-                };
+                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);
                 builder.WithTenantIdFromAuthority(uriBuilder.Uri);
             }
 
@@ -183,10 +178,7 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenSilentCoreAs
 
             if (tenantId != null || record.TenantId != null)
             {
-                UriBuilder uriBuilder = new UriBuilder(AuthorityHost)
-                {
-                    Path = tenantId ?? record.TenantId
-                };
+                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId ?? record.TenantId);
                 builder.WithTenantIdFromAuthority(uriBuilder.Uri);
             }
 
@@ -288,10 +280,7 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenInteractiveC
             }
             if (tenantId != null)
             {
-                UriBuilder uriBuilder = new UriBuilder(AuthorityHost)
-                {
-                    Path = tenantId
-                };
+                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);
                 builder.WithTenantIdFromAuthority(uriBuilder.Uri);
             }
             if (browserOptions != null)
@@ -333,10 +322,7 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenByUsernamePa
             }
             if (!string.IsNullOrEmpty(tenantId))
             {
-                UriBuilder uriBuilder = new UriBuilder(AuthorityHost)
-                {
-                    Path = tenantId
-                };
+                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);
                 builder.WithTenantIdFromAuthority(uriBuilder.Uri);
             }
             return await builder.ExecuteAsync(async, cancellationToken)
@@ -359,6 +345,11 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenWithDeviceCo
             {
                 builder.WithClaims(claims);
             }
+            if (!string.IsNullOrEmpty(TenantId))
+            {
+                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(TenantId);
+                builder.WithTenantIdFromAuthority(uriBuilder.Uri);
+            }
 
             return await builder.ExecuteAsync(async, cancellationToken)
                 .ConfigureAwait(false);
@@ -383,10 +374,7 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenByRefreshTok
 
             if (!string.IsNullOrEmpty(TenantId))
             {
-                UriBuilder uriBuilder = new UriBuilder(AuthorityHost)
-                {
-                    Path = tenant
-                };
+                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(TenantId);
                 builder.WithTenantIdFromAuthority(uriBuilder.Uri);
             }
 

sdk/identity/Azure.Identity/tests/AuthorizationCodeCredentialTests.cs

@@ -34,6 +34,7 @@ public override TokenCredential GetTokenCredential(CommonCredentialTestConfig co
                 AdditionallyAllowedTenants = config.AdditionallyAllowedTenants,
                 IsUnsafeSupportLoggingEnabled = config.IsUnsafeSupportLoggingEnabled,
                 RedirectUri = config.RedirectUri,
+                AuthorityHost = config.AuthorityHost,
             };
             if (config.Transport != null)
             {

sdk/identity/Azure.Identity/tests/AzureCliCredentialTests.cs

@@ -35,6 +35,7 @@ public override TokenCredential GetTokenCredential(CommonCredentialTestConfig co
                 AdditionallyAllowedTenants = config.AdditionallyAllowedTenants,
                 TenantId = config.TenantId,
                 IsUnsafeSupportLoggingEnabled = config.IsUnsafeSupportLoggingEnabled,
+                AuthorityHost = config.AuthorityHost,
             };
             var (_, _, processOutput) = CredentialTestHelpers.CreateTokenForAzureCli();
             var testProcess = new TestProcess { Output = processOutput };

sdk/identity/Azure.Identity/tests/AzureDeveloperCliCredentialTests.cs

@@ -34,6 +34,7 @@ public override TokenCredential GetTokenCredential(CommonCredentialTestConfig co
                 AdditionallyAllowedTenants = config.AdditionallyAllowedTenants,
                 TenantId = config.TenantId,
                 IsUnsafeSupportLoggingEnabled = config.IsUnsafeSupportLoggingEnabled,
+                AuthorityHost = config.AuthorityHost,
             };
             var (_, _, processOutput) = CredentialTestHelpers.CreateTokenForAzureDeveloperCli();
             var testProcess = new TestProcess { Output = processOutput };

sdk/identity/Azure.Identity/tests/AzurePipelinesCredentialTests.cs

@@ -44,6 +44,7 @@ public override TokenCredential GetTokenCredential(CommonCredentialTestConfig co
                 IsUnsafeSupportLoggingEnabled = config.IsUnsafeSupportLoggingEnabled,
                 MsalClient = config.MockConfidentialMsalClient,
                 OidcRequestUri = "https://dev.azure.com/myorg/myproject/_apis/serviceendpoint/endpoints?api-version=2.2.2",
+                AuthorityHost = config.AuthorityHost,
             };
             if (config.Transport != null)
             {

sdk/identity/Azure.Identity/tests/AzurePowerShellCredentialsTests.cs

@@ -42,6 +42,7 @@ public override TokenCredential GetTokenCredential(CommonCredentialTestConfig co
                 AdditionallyAllowedTenants = config.AdditionallyAllowedTenants,
                 TenantId = config.TenantId,
                 IsUnsafeSupportLoggingEnabled = config.IsUnsafeSupportLoggingEnabled,
+                AuthorityHost = config.AuthorityHost,
             };
             var (_, _, processOutput) = CredentialTestHelpers.CreateTokenForAzurePowerShell(TimeSpan.FromSeconds(30));
             var testProcess = new TestProcess { Output = processOutput };