[Bug] Token compatibility not handled correctly

[nikkh]

Which Version of Microsoft Identity Web are you using ?
Microsoft.Identity.Web 0.1.2-preview

Where is the issue?

• Web App
  • Sign-in users
  • Sign-in users and call web APIs
• Web API
  • Protected web APIs (Validating tokens)
  • Protected web APIs (Validating scopes)
  • Protected web APIs call downstream web APIs
• Token cache serialization
  • In Memory caches
  • Session caches
  • Distributed caches

Other? - please describe;

Is this a new or existing app?
This is a new app being built for production deployment.

Repro

I've just been asked to help an AAD B2C customer with a problem they have with logging on using AAD B2C in a dotnet core 3.1 web app they are developing.

Having run through their scenario in debug I have noticed that they have token compatibility set as described in https://docs.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview#compatibility so that their issuer is https://xxxxxxxx.b2clogin.com/tfp/xxxxxxxx/xxxxxx_sign_up_in/v2.0/.

Looking at the source code in https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web/Resource/AadIssuerValidator.cs

// The AAD "iss" claims contains the tenant ID in its value. The URI is {domain}/{tid}/v2.0
    private static string GetTenantIdFromIss(string iss)
    {
        if (string.IsNullOrEmpty(iss))
        {
            return string.Empty;
        }
        var uri = new Uri(iss);
        if (uri.Segments.Length > 1)
        {
            return uri.Segments[1].TrimEnd('/');
        }
        return string.Empty;
    }

Expected behavior
I expect that since the issuer is valid, the microsoft.identity.web package would enable sign in to complete normally.

Actual behavior
An exception is thrown indicating that the token issuer is invalid

Possible Solution

/if (uri.Segments.Length > 1)
        //{
        //    return uri.Segments[1].TrimEnd('/');
        //}

        if (uri.Segments.Length == 3)
        {
            return uri.Segments[1].TrimEnd('/');
        }
        if (uri.Segments.Length == 5)
        {
            return uri.Segments[2].TrimEnd('/');
        }

and

private static bool IsValidTidInLocalPath(string tenantId, Uri uri)
    {

        string trimmedLocalPath = uri.LocalPath.Trim('/');
        // return trimmedLocalPath == tenantId || trimmedLocalPath == $"{tenantId}/v2.0" ;
        return trimmedLocalPath == tenantId || trimmedLocalPath == $"{tenantId}/v2.0" || trimmedLocalPath.Split('/')[1] == tenantId;
    }

or perhaps something more elegant - explicitly identifying the token format in use rather than trying to guess it from its structure?

[jmprieur]

Thanks for raising this issue, @nikkh and for educating us.

[jennyf19]

Included in 0.2.2-preview release