improve tenant handling
tripodsan opened this issue ยท 1 comments
TL;DR: use tenant id from destination resource or access token
Description
With XTA (cross tenant access) it can happen that the IDP resource provider are on different tenants. (e.g. adobe.com authenticates the user, but the sharepoint document resides in customer.com). In this case the authenticated principal (user) will be a guest user in the resource tenant B and the authorization needs to happen via the tenant B (which uses tenant A as IDP).
so far, the AuthenticationContext tenant is usually hard coded to be the same for each resource (eg helix@adobe.com on the adobe.com tenant is used for all msgraph access). this causes problems when accessing resources outside adobe.com.
suggestion:
as long as there is no pre-authorized token, the sharelink should be used to resolve the tenant.
this can be resolved using https://login.windows.net/adobe.onmicrosoft.com/.well-known/openid-configuration, where the tenant name (adobe ) can be extracted from the sharelink host (eg https://adobe.sharepoint.com/sites/TheBlog/Shared%20Documents/theblog)
in case of bearer token, ms uses JWT to encode their access tokens, so the tenant can be extracted using the tid claim.
๐ This issue has been resolved in version 7.0.0 ๐
The release is available on:
Your semantic-release bot ๐ฆ๐