-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Enable changing tenant after client construction #296
Comments
@bgavrilMS @siddhijain @rayluo : can you pls. help with the per request design? |
In pseudo-code, the logic in MSAL.NET is something like: var confidentialClientApp = // create app with authority set to login.microsoft.com/common
var authResult = confidentialClientApp.AcquireTokenByMethod.WithTenantId(tenantId).Execute(); The simplified algorithm for choosing the authority on which to perform auth, given an application authority and a request tenantID is:
The more complex case exists for AcquireTokenSilent, where we can also need to think about Acceptance tests
|
Hi @bgavrilMS , in the table above, row 3, if an app declared its authority as "lmo/consumers", wouldn't it mean the app does not want to allow AAD users to sign in? Do we still want to allow the guid adjustment in this scenario? |
Now that you mention it, yes. I don't think MSAL.NET does any better :( |
Thanks for catching that! I added two more error cases to #343:
|
Thanks for quick response, team! One more conceptual question. While we say |
MSAL for Go will have a few rules for dynamic tenant IDs as described in this issue (implemented here) but otherwise no opinion on their validity. So, we'll take any string and it's up to AAD whether it works. |
Well, in that case, it is really just a "WithTenant(tenant)" parameter, rather than "WithTenantId(tenantId)" which seemingly implies a GUID. Thanks for the clarification. |
That's correct. I assume it's the same for the other MSALs which call the option |
I believe the consistency is more about Conceptual Consistency: if one thing can and should be done in one MSAL, other applicable MSALs would better also have it. But the exact naming always has some variance, due to language convention and casing reasons. In particular, already-shipped parameters do not need to be changed only for consistency, and newly-introduced parameter in an MSAL has an opportunity to "name it right", if desirable. I'm leaving an approval to your implementation PR now. |
Hello @rayluo, is there a plan to release a new package version with the WithTenantID support changes? Meanwhile if we want to acquire tokens for multiple tenants is the workaround to create client per tenant? |
Yes, create a confidential client application for each tenant / authority you have. |
Got it. Thank you for confirming. It would be ideal if we could avoid this with the new changes. When could we expect a new release version with this change? |
Acquiring tokens as a multi-tenant application is painful because tenants are baked into clients at construction. It's therefore necessary to create a new client instance for each tenant. Please provide an API for overriding the tenant specified at construction during a single token request or enable changing it after construction. MSAL.NET has implemented the former and is evidently moving to the latter: AzureAD/microsoft-authentication-library-for-python#368 (comment).
The text was updated successfully, but these errors were encountered: