AzureAD · trwalke · May 17, 2019 · Jan 18, 2019 · Jan 24, 2019 · Jan 29, 2019
diff --git a/src/Microsoft.Identity.Client/AccountId.cs b/src/Microsoft.Identity.Client/AccountId.cs
@@ -46,6 +46,15 @@ public AccountId(string identifier, string objectId, string tenantId)
             ValidateId();
         }
 
+        /// <summary>
+        /// Constructor of an AccountId meant for Adfs scenarios since Adfs instances lack tenant ids.
+        /// </summary>
+        /// <param name="adfsIdentifier">Unique identifier for the account if authority is ADFS</param>
+        public AccountId(string adfsIdentifier)
+            :this(adfsIdentifier, adfsIdentifier, null)
+        { }
+
+
         internal static AccountId ParseFromString(string str)
         {
             if (string.IsNullOrEmpty(str))
@@ -54,6 +63,11 @@ internal static AccountId ParseFromString(string str)
             }
             string[] elements = str.Split('.');
 
+            if(elements.Length == 1)
+            {
+                return new AccountId(str); //Account id is from Adfs; no . in the string
+            }
+
             return new AccountId(str, elements[0], elements[1]);
         }
 
@@ -89,7 +103,7 @@ public override string ToString()
         [Conditional("DEBUG")]
         private void ValidateId()
         {
-            string expectedId = ObjectId + "." + TenantId;
+            string expectedId = TenantId==null ? ObjectId : ObjectId + "." + TenantId;
             if (!string.Equals(expectedId, Identifier, StringComparison.Ordinal))
             {
                 throw new InvalidOperationException(

diff --git a/src/Microsoft.Identity.Client/AppConfig/AbstractApplicationBuilder.cs b/src/Microsoft.Identity.Client/AppConfig/AbstractApplicationBuilder.cs
diff --git a/src/Microsoft.Identity.Client/AuthenticationResult.cs b/src/Microsoft.Identity.Client/AuthenticationResult.cs
@@ -64,9 +64,10 @@ internal AuthenticationResult(MsalAccessTokenCacheItem msalAccessTokenCacheItem,
         {
             if (msalAccessTokenCacheItem.HomeAccountId != null)
             {
+                string username = msalAccessTokenCacheItem.IsAdfs ? msalIdTokenCacheItem?.IdToken.Upn : msalIdTokenCacheItem?.IdToken?.PreferredUsername;
                 Account = new Account(
                     msalAccessTokenCacheItem.HomeAccountId,
-                    msalIdTokenCacheItem?.IdToken?.PreferredUsername,
+                    username,
                     msalAccessTokenCacheItem.Environment);
             }
 

diff --git a/src/Microsoft.Identity.Client/Cache/Items/MsalAccessTokenCacheItem.cs b/src/Microsoft.Identity.Client/Cache/Items/MsalAccessTokenCacheItem.cs
@@ -18,11 +18,13 @@ internal MsalAccessTokenCacheItem()
             CredentialType = StorageJsonValues.CredentialTypeAccessToken;
         }
 
+
         internal MsalAccessTokenCacheItem(
             string environment,
             string clientId,
             MsalTokenResponse response,
-            string tenantId)
+            string tenantId,
+            string userId = null)
             : this(
                 environment,
                 clientId,
@@ -31,7 +33,8 @@ internal MsalAccessTokenCacheItem(
                 response.AccessToken,
                 response.AccessTokenExpiresOn,
                 response.AccessTokenExtendedExpiresOn,
-                response.ClientInfo)
+                response.ClientInfo,
+                userId)
         {
         }
 
@@ -43,7 +46,8 @@ internal MsalAccessTokenCacheItem(
             string secret,
             DateTimeOffset accessTokenExpiresOn,
             DateTimeOffset accessTokenExtendedExpiresOn,
-            string rawClientInfo)
+            string rawClientInfo,
+            string userId = null)
             : this()
         {
             Environment = environment;
@@ -56,10 +60,18 @@ internal MsalAccessTokenCacheItem(
             CachedAt = CoreHelpers.CurrDateTimeInUnixTimestamp();
             RawClientInfo = rawClientInfo;
 
+            //Adfs does not send back client info, so HomeAccountId must be explicitly set
+            HomeAccountId = userId;
             InitUserIdentifier();
         }
 
-        internal string TenantId { get; set; }
+        private string _tenantId;
+
+        internal string TenantId
+        {
+            get => _tenantId;
+            set => _tenantId = value ?? string.Empty;
+        }
 
         /// <summary>
         /// String comprised of scopes that have been lowercased and ordered.
@@ -70,9 +82,13 @@ internal MsalAccessTokenCacheItem(
         internal string ExpiresOnUnixTimestamp { get; set; }
         internal string ExtendedExpiresOnUnixTimestamp { get; set; }
         public string UserAssertionHash { get; set; }
+
+
+        internal bool IsAdfs { get; set; }
 
         internal string Authority =>
-            string.Format(CultureInfo.InvariantCulture, "https://{0}/{1}/", Environment, TenantId ?? "common");
+                                    IsAdfs ? string.Format(CultureInfo.InvariantCulture, "https://{0}/{1}/", Environment, "adfs") :
+                                    string.Format(CultureInfo.InvariantCulture, "https://{0}/{1}/", Environment, TenantId ?? "common");
 
         internal SortedSet<string> ScopeSet => ScopeHelper.ConvertStringToLowercaseSortedSet(NormalizedScopes);
 

diff --git a/src/Microsoft.Identity.Client/Cache/Items/MsalIdTokenCacheItem.cs b/src/Microsoft.Identity.Client/Cache/Items/MsalIdTokenCacheItem.cs
@@ -21,13 +21,16 @@ internal MsalIdTokenCacheItem(
             string environment,
             string clientId,
             MsalTokenResponse response,
-            string tenantId)
+            string tenantId,
+            string userId=null
+            )
             : this(
                 environment,
                 clientId,
                 response.IdToken,
                 response.ClientInfo,
-                tenantId)
+                tenantId,
+                userId)
         {
         }
 
@@ -36,7 +39,9 @@ internal MsalIdTokenCacheItem(
             string clientId,
             string secret,
             string rawClientInfo,
-            string tenantId)
+            string tenantId,
+            string userId=null
+            )
             : this()
         {
             Environment = environment;
@@ -45,13 +50,18 @@ internal MsalIdTokenCacheItem(
             Secret = secret;
             RawClientInfo = rawClientInfo;
 
+            //Adfs does not send back client info, so HomeAccountId must be explicitly set
+            HomeAccountId = userId;
             InitUserIdentifier();
         }
-
+
+
+        internal bool IsAdfs { get; set; }
         internal string TenantId { get; set; }
 
         internal string Authority =>
-            string.Format(CultureInfo.InvariantCulture, "https://{0}/{1}/", Environment, TenantId ?? "common");
+                                    IsAdfs ? string.Format(CultureInfo.InvariantCulture, "https://{0}/{1}/", Environment, "adfs") :
+                                    string.Format(CultureInfo.InvariantCulture, "https://{0}/{1}/", Environment, TenantId ?? "common");
 
         internal IdToken IdToken => IdToken.Parse(Secret);
 

diff --git a/src/Microsoft.Identity.Client/Cache/Items/MsalRefreshTokenCacheItem.cs b/src/Microsoft.Identity.Client/Cache/Items/MsalRefreshTokenCacheItem.cs
@@ -19,17 +19,20 @@ internal MsalRefreshTokenCacheItem()
         internal MsalRefreshTokenCacheItem(
             string environment,
             string clientId,
-            MsalTokenResponse response)
-            : this(environment, clientId, response.RefreshToken, response.ClientInfo, response.FamilyId)
+            MsalTokenResponse response,
+            string userId=null)
+            : this(environment, clientId, response.RefreshToken, response.ClientInfo, response.FamilyId, userId)
         {
         }
 
+
         internal MsalRefreshTokenCacheItem(
             string environment,
             string clientId,
             string secret,
             string rawClientInfo,
-            string familyId = null)
+            string familyId = null,
+            string userId = null)
             : this()
         {
             ClientId = clientId;
@@ -38,6 +41,8 @@ internal MsalRefreshTokenCacheItem(
             RawClientInfo = rawClientInfo;
             FamilyId = familyId;
 
+            //Adfs does not send back client info, so HomeAccountId must be explicitly set
+            HomeAccountId = userId;
             InitUserIdentifier();
         }
 

diff --git a/src/Microsoft.Identity.Client/Core/Constants.cs b/src/Microsoft.Identity.Client/Core/Constants.cs
@@ -41,7 +41,7 @@ public static string FormatAdfsWebFingerUrl(string host, string resource)
         {
             return string.Format(
                 CultureInfo.InvariantCulture,
-                "https://{0}/adfs/.well-known/webfinger?rel={1}&resource={2}",
+                "https://{0}/.well-known/webfinger?rel={1}&resource={2}",
                 host,
                 Constants.DefaultRealm,
                 resource);

diff --git a/src/Microsoft.Identity.Client/Core/IdToken.cs b/src/Microsoft.Identity.Client/Core/IdToken.cs
@@ -22,6 +22,7 @@ internal class IdTokenClaim
         public const string HomeObjectId = "home_oid";
         public const string GivenName = "given_name";
         public const string FamilyName = "family_name";
+        public const string Upn = "upn";
     }
 
     [DataContract]
@@ -51,6 +52,9 @@ internal class IdToken
         [DataMember(Name = IdTokenClaim.HomeObjectId, IsRequired = false)]
         public string HomeObjectId { get; set; }
 
+        [DataMember(Name = IdTokenClaim.Upn, IsRequired = false)]
+        public string Upn { get; set; }
+
         [DataMember(Name = IdTokenClaim.GivenName)]
         public string GivenName { get; set; }
 

diff --git a/src/Microsoft.Identity.Client/Instance/AdfsAuthority.cs b/src/Microsoft.Identity.Client/Instance/AdfsAuthority.cs
@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.Net.Http;
+using System.Threading.Tasks;
+using Microsoft.Identity.Client.Core;
+using Microsoft.Identity.Client.Http;
+using Microsoft.Identity.Client.OAuth2;
+using Microsoft.Identity.Client.TelemetryCore;
+
+namespace Microsoft.Identity.Client.Instance
+{
+    internal class AdfsAuthority : Authority
+    {
+        private readonly HashSet<string> _validForDomainsList = new HashSet<string>();
+
+        public AdfsAuthority(IServiceBundle serviceBundle, AuthorityInfo authorityInfo)
+            : base(serviceBundle, authorityInfo)
+        {
+        }
+
+        //ADFS does not have a concept of a tenant ID. This prevents ADFS from supporting multiple tenants
+        internal override string GetTenantId()
+        {
+            return null;
+        }
+
+        internal override void UpdateTenantId(string tenantId)
+        {
+            throw new NotImplementedException();
+        }
+    }
+}
diff --git a/src/Microsoft.Identity.Client/Instance/AdfsOpenIdConfigurationEndpointManager.cs b/src/Microsoft.Identity.Client/Instance/AdfsOpenIdConfigurationEndpointManager.cs
@@ -28,23 +28,9 @@ public async Task<string> ValidateAuthorityAndGetOpenIdDiscoveryEndpointAsync(
         {
             if (authorityInfo.ValidateAuthority)
             {
-                DrsMetadataResponse drsResponse = await GetMetadataFromEnrollmentServerAsync(userPrincipalName, requestContext)
-                                      .ConfigureAwait(false);
-
-                if (drsResponse.IdentityProviderService?.PassiveAuthEndpoint == null)
-                {
-                    throw new MsalServiceException(
-                        MsalError.MissingPassiveAuthEndpoint,
-                        MsalErrorMessage.CannotFindTheAuthEndpont)
-                    {
-                        OAuth2Response = drsResponse
-                    };
-                }
-
-                string resource = string.Format(CultureInfo.InvariantCulture, authorityInfo.CanonicalAuthority);
-                string webFingerUrl = Constants.FormatAdfsWebFingerUrl(
-                    drsResponse.IdentityProviderService.PassiveAuthEndpoint.Host,
-                    resource);
+                string resource = string.Format(CultureInfo.InvariantCulture, "https://{0}", authorityInfo.Host);
+                string webFingerUrl = Constants.FormatAdfsWebFingerUrl(authorityInfo.Host, resource);
+
 
                 var httpResponse = await _serviceBundle.HttpManager.SendGetAsync(new Uri(webFingerUrl), null, requestContext.Logger)
                                                        .ConfigureAwait(false);
@@ -59,10 +45,10 @@ public async Task<string> ValidateAuthorityAndGetOpenIdDiscoveryEndpointAsync(
                     };
                 }
 
-                var wfr = OAuth2Client.CreateResponse<AdfsWebFingerResponse>(httpResponse, requestContext, false);
+                AdfsWebFingerResponse wfr = OAuth2Client.CreateResponse<AdfsWebFingerResponse>(httpResponse, requestContext, false);
                 if (wfr.Links.FirstOrDefault(
                         a => a.Rel.Equals(Constants.DefaultRealm, StringComparison.OrdinalIgnoreCase) &&
-                             a.Href.Equals(resource, StringComparison.OrdinalIgnoreCase)) == null)
+                             a.Href.Equals(resource)) == null)
                 {
                     throw new MsalClientException(
                         MsalError.InvalidAuthority,
@@ -73,35 +59,5 @@ public async Task<string> ValidateAuthorityAndGetOpenIdDiscoveryEndpointAsync(
             return authorityInfo.CanonicalAuthority + Constants.WellKnownOpenIdConfigurationPath;
         }
 
-        private async Task<DrsMetadataResponse> GetMetadataFromEnrollmentServerAsync(
-            string userPrincipalName,
-            RequestContext requestContext)
-        {
-            try
-            {
-                // attempt to connect to on-premise enrollment server first.
-                return await QueryEnrollmentServerEndpointAsync(
-                   Constants.FormatEnterpriseRegistrationOnPremiseUri(AdfsUpnHelper.GetDomainFromUpn(userPrincipalName)),
-                   requestContext).ConfigureAwait(false);
-            }
-            catch (Exception exc)
-            {
-                requestContext.Logger.InfoPiiWithPrefix(
-                    exc,
-                    "On-Premise ADFS enrollment server endpoint lookup failed. Error - ");
-            }
-
-            return await QueryEnrollmentServerEndpointAsync(
-               Constants.FormatEnterpriseRegistrationInternetUri(AdfsUpnHelper.GetDomainFromUpn(userPrincipalName)),
-               requestContext).ConfigureAwait(false);
-        }
-
-        private async Task<DrsMetadataResponse> QueryEnrollmentServerEndpointAsync(string endpoint, RequestContext requestContext)
-        {
-            var client = new OAuth2Client(requestContext.Logger, _serviceBundle.HttpManager, _serviceBundle.TelemetryManager);
-            client.AddQueryParameter("api-version", "1.0");
-            return await client.ExecuteRequestAsync<DrsMetadataResponse>(new Uri(endpoint), HttpMethod.Get, requestContext)
-                               .ConfigureAwait(false);
-        }
     }
 }
diff --git a/src/Microsoft.Identity.Client/Instance/Authority.cs b/src/Microsoft.Identity.Client/Instance/Authority.cs
@@ -34,9 +34,7 @@ public static Authority CreateAuthorityWithOverride(IServiceBundle serviceBundle
             switch (authorityInfo.AuthorityType)
             {
             case AuthorityType.Adfs:
-                throw new MsalClientException(
-                    MsalError.InvalidAuthorityType,
-                    "ADFS is not a supported authority");
+                return new AdfsAuthority(serviceBundle, authorityInfo);
 
             case AuthorityType.B2C:
                 CheckB2CAuthorityHost(serviceBundle, authorityInfo);