Updated EnsureValidAudiencesContainsApiGuidIfGuidProvided method to a…

…dd on to the existing TokenValidationParameters.ValidAudiences collection instead of replacing it. (#103)

src/Microsoft.Identity.Web/WebApiAuthenticationBuilderExtensions.cs

@@ -143,11 +143,12 @@ public static AuthenticationBuilder AddProtectedWebApi(
         /// as a valid audience (this is the default App ID URL in the app registration
         /// portal)
         /// </summary>
-        /// <param name="options">Jwt bearer options for which to ensure that
+        /// <param name="options"><see cref="JwtBearerOptions"/> for which to ensure that
         /// api://GUID is a valid audience</param>
         internal static void EnsureValidAudiencesContainsApiGuidIfGuidProvided(JwtBearerOptions options, MicrosoftIdentityOptions msIdentityOptions)
         {
-            var validAudiences = new List<string>();
+            options.TokenValidationParameters.ValidAudiences ??= new List<string>();
+            var validAudiences = new List<string>(options.TokenValidationParameters.ValidAudiences);
             if (!string.IsNullOrWhiteSpace(options.Audience))
             {
                 validAudiences.Add(options.Audience);

tests/Microsoft.Identity.Web.Test.Common/TestConstants.cs

@@ -84,7 +84,7 @@ public static class TestConstants
         public const string ConfidentialClientLabTenant = "72f988bf-86f1-41af-91ab-2d7cd011db47";
 
         //This value is only for testing purposes. It is for a certificate that is not used for anything other than running tests
-        public const string certificateX5c = @"MIIDHzCCAgegAwIBAgIQM6NFYNBJ9rdOiK+C91ZzFDANBgkqhkiG9w0BAQsFADAgMR4wHAYDVQQDExVBQ1MyQ2xpZW50Q2VydGlmaWNhdGUwHhcNMTIwNTIyMj
+        public const string CertificateX5c = @"MIIDHzCCAgegAwIBAgIQM6NFYNBJ9rdOiK+C91ZzFDANBgkqhkiG9w0BAQsFADAgMR4wHAYDVQQDExVBQ1MyQ2xpZW50Q2VydGlmaWNhdGUwHhcNMTIwNTIyMj
             IxMTIyWhcNMzAwNTIyMDcwMDAwWjAgMR4wHAYDVQQDExVBQ1MyQ2xpZW50Q2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCh7HjK
             YyVMDZDT64OgtcGKWxHmK2wqzi2LJb65KxGdNfObWGxh5HQtjzrgHDkACPsgyYseqxhGxHh8I/TR6wBKx/AAKuPHE8jB4hJ1W6FczPfb7FaMV9xP0qNQrbNGZU
             YbCdy7U5zIw4XrGq22l6yTqpCAh59DLufd4d7x8fCgUDV3l1ZwrncF0QrBRzns/O9Ex9pXsi2DzMa1S1PKR81D9q5QSW7LZkCgSSqI6W0b5iodx/a3RBvW3l7d

tests/Microsoft.Identity.Web.Test/WebApiExtensionsTests.cs

@@ -20,6 +20,7 @@
 using Microsoft.Identity.Web.Resource;
 using Microsoft.Identity.Web.Test.Common;
 using Microsoft.Identity.Web.Test.Common.TestHelpers;
+using Microsoft.IdentityModel.Tokens;
 using NSubstitute;
 using NSubstitute.Extensions;
 using Xunit;
@@ -30,7 +31,7 @@ public class WebApiExtensionsTests
     {
         private const string _configSectionName = "AzureAd-Custom";
         private const string _jwtBearerScheme = "Bearer-Custom";
-        private readonly X509Certificate2 _certificate = new X509Certificate2(Convert.FromBase64String(TestConstants.certificateX5c));
+        private readonly X509Certificate2 _certificate = new X509Certificate2(Convert.FromBase64String(TestConstants.CertificateX5c));
         private readonly IConfigurationSection _configSection;
         private readonly Action<ConfidentialClientApplicationOptions> _configureAppOptions = (options) => { };
         private readonly Action<JwtBearerOptions> _configureJwtOptions = (options) => { };
@@ -368,16 +369,25 @@ public void EnsureAuthorityIsV2_0(string initialAuthority, string expectedAuthor
         }
 
         [Theory]
-        [InlineData(TestConstants.HttpLocalHost, new string[] { TestConstants.HttpLocalHost })]
-        [InlineData(TestConstants.ApiAudience, new string[] { TestConstants.ApiAudience })]
-        [InlineData(TestConstants.ApiClientId, new string[] { TestConstants.ApiAudience, TestConstants.ApiClientId })]
-        [InlineData("", new string[] { TestConstants.ApiAudience, TestConstants.ApiClientId })]
-        [InlineData(null, new string[] { TestConstants.ApiAudience, TestConstants.ApiClientId })]
-        public void EnsureValidAudiencesContainsApiGuidIfGuidProvided(string initialAudience, string[] expectedAudiences)
+        [InlineData(TestConstants.HttpLocalHost, null, new string[] { TestConstants.HttpLocalHost })]
+        [InlineData(TestConstants.ApiAudience, null, new string[] { TestConstants.ApiAudience })]
+        [InlineData(TestConstants.ApiClientId, null, new string[] { TestConstants.ApiAudience, TestConstants.ApiClientId })]
+        [InlineData("", null, new string[] { TestConstants.ApiAudience, TestConstants.ApiClientId })]
+        [InlineData(null, null, new string[] { TestConstants.ApiAudience, TestConstants.ApiClientId })]
+        [InlineData(null, new string[] { TestConstants.ApiAudience }, new string[] { TestConstants.ApiAudience, TestConstants.ApiAudience, TestConstants.ApiClientId })]
+        [InlineData(null, new string[] { TestConstants.ApiClientId }, new string[] { TestConstants.ApiAudience, TestConstants.ApiClientId, TestConstants.ApiClientId })]
+        [InlineData(TestConstants.HttpLocalHost, new string[] { TestConstants.B2CCustomDomainInstance }, new string[] { TestConstants.HttpLocalHost, TestConstants.B2CCustomDomainInstance })]
+        [InlineData(TestConstants.ApiAudience, new string[] { TestConstants.B2CCustomDomainInstance }, new string[] { TestConstants.ApiAudience, TestConstants.B2CCustomDomainInstance })]
+        [InlineData(TestConstants.ApiClientId, new string[] { TestConstants.B2CCustomDomainInstance }, new string[] { TestConstants.ApiAudience, TestConstants.ApiClientId, TestConstants.B2CCustomDomainInstance })]
+        public void EnsureValidAudiencesContainsApiGuidIfGuidProvided(string initialAudience, string[] initialAudiences, string[] expectedAudiences)
         {
             JwtBearerOptions jwtOptions = new JwtBearerOptions()
             {
-                Audience = initialAudience
+                Audience = initialAudience,
+                TokenValidationParameters = new TokenValidationParameters()
+                {
+                    ValidAudiences = initialAudiences
+                }
             };
             MicrosoftIdentityOptions msIdentityOptions = new MicrosoftIdentityOptions()
             {