diff --git a/src/Microsoft.Identity.Web/WebApiAuthenticationBuilderExtensions.cs b/src/Microsoft.Identity.Web/WebApiAuthenticationBuilderExtensions.cs
index fddd7ddc9..c36f6502f 100644
--- a/src/Microsoft.Identity.Web/WebApiAuthenticationBuilderExtensions.cs
+++ b/src/Microsoft.Identity.Web/WebApiAuthenticationBuilderExtensions.cs
@@ -143,11 +143,12 @@ public static AuthenticationBuilder AddProtectedWebApi(
/// as a valid audience (this is the default App ID URL in the app registration
/// portal)
///
- /// Jwt bearer options for which to ensure that
+ /// for which to ensure that
/// api://GUID is a valid audience
internal static void EnsureValidAudiencesContainsApiGuidIfGuidProvided(JwtBearerOptions options, MicrosoftIdentityOptions msIdentityOptions)
{
- var validAudiences = new List();
+ options.TokenValidationParameters.ValidAudiences ??= new List();
+ var validAudiences = new List(options.TokenValidationParameters.ValidAudiences);
if (!string.IsNullOrWhiteSpace(options.Audience))
{
validAudiences.Add(options.Audience);
diff --git a/tests/Microsoft.Identity.Web.Test.Common/TestConstants.cs b/tests/Microsoft.Identity.Web.Test.Common/TestConstants.cs
index 347dcdd97..d85231c0a 100644
--- a/tests/Microsoft.Identity.Web.Test.Common/TestConstants.cs
+++ b/tests/Microsoft.Identity.Web.Test.Common/TestConstants.cs
@@ -84,7 +84,7 @@ public static class TestConstants
public const string ConfidentialClientLabTenant = "72f988bf-86f1-41af-91ab-2d7cd011db47";
//This value is only for testing purposes. It is for a certificate that is not used for anything other than running tests
- public const string certificateX5c = @"MIIDHzCCAgegAwIBAgIQM6NFYNBJ9rdOiK+C91ZzFDANBgkqhkiG9w0BAQsFADAgMR4wHAYDVQQDExVBQ1MyQ2xpZW50Q2VydGlmaWNhdGUwHhcNMTIwNTIyMj
+ public const string CertificateX5c = @"MIIDHzCCAgegAwIBAgIQM6NFYNBJ9rdOiK+C91ZzFDANBgkqhkiG9w0BAQsFADAgMR4wHAYDVQQDExVBQ1MyQ2xpZW50Q2VydGlmaWNhdGUwHhcNMTIwNTIyMj
IxMTIyWhcNMzAwNTIyMDcwMDAwWjAgMR4wHAYDVQQDExVBQ1MyQ2xpZW50Q2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCh7HjK
YyVMDZDT64OgtcGKWxHmK2wqzi2LJb65KxGdNfObWGxh5HQtjzrgHDkACPsgyYseqxhGxHh8I/TR6wBKx/AAKuPHE8jB4hJ1W6FczPfb7FaMV9xP0qNQrbNGZU
YbCdy7U5zIw4XrGq22l6yTqpCAh59DLufd4d7x8fCgUDV3l1ZwrncF0QrBRzns/O9Ex9pXsi2DzMa1S1PKR81D9q5QSW7LZkCgSSqI6W0b5iodx/a3RBvW3l7d
diff --git a/tests/Microsoft.Identity.Web.Test/WebApiExtensionsTests.cs b/tests/Microsoft.Identity.Web.Test/WebApiExtensionsTests.cs
index e217d660b..9deda541a 100644
--- a/tests/Microsoft.Identity.Web.Test/WebApiExtensionsTests.cs
+++ b/tests/Microsoft.Identity.Web.Test/WebApiExtensionsTests.cs
@@ -20,6 +20,7 @@
using Microsoft.Identity.Web.Resource;
using Microsoft.Identity.Web.Test.Common;
using Microsoft.Identity.Web.Test.Common.TestHelpers;
+using Microsoft.IdentityModel.Tokens;
using NSubstitute;
using NSubstitute.Extensions;
using Xunit;
@@ -30,7 +31,7 @@ public class WebApiExtensionsTests
{
private const string _configSectionName = "AzureAd-Custom";
private const string _jwtBearerScheme = "Bearer-Custom";
- private readonly X509Certificate2 _certificate = new X509Certificate2(Convert.FromBase64String(TestConstants.certificateX5c));
+ private readonly X509Certificate2 _certificate = new X509Certificate2(Convert.FromBase64String(TestConstants.CertificateX5c));
private readonly IConfigurationSection _configSection;
private readonly Action _configureAppOptions = (options) => { };
private readonly Action _configureJwtOptions = (options) => { };
@@ -368,16 +369,25 @@ public void EnsureAuthorityIsV2_0(string initialAuthority, string expectedAuthor
}
[Theory]
- [InlineData(TestConstants.HttpLocalHost, new string[] { TestConstants.HttpLocalHost })]
- [InlineData(TestConstants.ApiAudience, new string[] { TestConstants.ApiAudience })]
- [InlineData(TestConstants.ApiClientId, new string[] { TestConstants.ApiAudience, TestConstants.ApiClientId })]
- [InlineData("", new string[] { TestConstants.ApiAudience, TestConstants.ApiClientId })]
- [InlineData(null, new string[] { TestConstants.ApiAudience, TestConstants.ApiClientId })]
- public void EnsureValidAudiencesContainsApiGuidIfGuidProvided(string initialAudience, string[] expectedAudiences)
+ [InlineData(TestConstants.HttpLocalHost, null, new string[] { TestConstants.HttpLocalHost })]
+ [InlineData(TestConstants.ApiAudience, null, new string[] { TestConstants.ApiAudience })]
+ [InlineData(TestConstants.ApiClientId, null, new string[] { TestConstants.ApiAudience, TestConstants.ApiClientId })]
+ [InlineData("", null, new string[] { TestConstants.ApiAudience, TestConstants.ApiClientId })]
+ [InlineData(null, null, new string[] { TestConstants.ApiAudience, TestConstants.ApiClientId })]
+ [InlineData(null, new string[] { TestConstants.ApiAudience }, new string[] { TestConstants.ApiAudience, TestConstants.ApiAudience, TestConstants.ApiClientId })]
+ [InlineData(null, new string[] { TestConstants.ApiClientId }, new string[] { TestConstants.ApiAudience, TestConstants.ApiClientId, TestConstants.ApiClientId })]
+ [InlineData(TestConstants.HttpLocalHost, new string[] { TestConstants.B2CCustomDomainInstance }, new string[] { TestConstants.HttpLocalHost, TestConstants.B2CCustomDomainInstance })]
+ [InlineData(TestConstants.ApiAudience, new string[] { TestConstants.B2CCustomDomainInstance }, new string[] { TestConstants.ApiAudience, TestConstants.B2CCustomDomainInstance })]
+ [InlineData(TestConstants.ApiClientId, new string[] { TestConstants.B2CCustomDomainInstance }, new string[] { TestConstants.ApiAudience, TestConstants.ApiClientId, TestConstants.B2CCustomDomainInstance })]
+ public void EnsureValidAudiencesContainsApiGuidIfGuidProvided(string initialAudience, string[] initialAudiences, string[] expectedAudiences)
{
JwtBearerOptions jwtOptions = new JwtBearerOptions()
{
- Audience = initialAudience
+ Audience = initialAudience,
+ TokenValidationParameters = new TokenValidationParameters()
+ {
+ ValidAudiences = initialAudiences
+ }
};
MicrosoftIdentityOptions msIdentityOptions = new MicrosoftIdentityOptions()
{