AzureAD · tnorling · Apr 7, 2020 · Feb 11, 2020 · Feb 20, 2020 · Feb 20, 2020
@@ -27,6 +27,7 @@ const NAVIGATE_FRAME_WAIT = 500;
  *  - clientId                    - Client ID of your app registered with our Application registration portal : https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredAppsPreview in Microsoft Identity Platform
  *  - authority                   - You can configure a specific authority, defaults to " " or "https://login.microsoftonline.com/common"
  *  - validateAuthority           - Used to turn authority validation on/off. When set to true (default), MSAL will compare the application's authority against well-known URLs templates representing well-formed authorities. It is useful when the authority is obtained at run time to prevent MSAL from displaying authentication prompts from malicious pages.
+ *  - knownAuthorities            - If validateAuthority is set to True, this will be used to set the Trusted Host list. Defaults to empty array
  *  - redirectUri                 - The redirect URI of the application, this should be same as the value in the application registration portal.Defaults to `window.location.href`.
  *  - postLogoutRedirectUri       - Used to redirect the user to this location after logout. Defaults to `window.location.href`.
  *  - navigateToLoginRequestUrl   - Used to turn off default navigation to start page after login. Default is true. This is used only for redirect flows.
@@ -36,6 +37,7 @@ export type AuthOptions = {
     clientId: string;
     authority?: string;
     validateAuthority?: boolean;
+    knownAuthorities?: Array<string>;
     redirectUri?: string | (() => string);
     postLogoutRedirectUri?: string | (() => string);
     navigateToLoginRequestUrl?: boolean;
@@ -115,6 +117,7 @@ const DEFAULT_AUTH_OPTIONS: AuthOptions = {
     clientId: "",
     authority: null,
     validateAuthority: true,
+    knownAuthorities: [],
     redirectUri: () => UrlUtils.getDefaultRedirectUri(),
     postLogoutRedirectUri: () => UrlUtils.getDefaultRedirectUri(),
     navigateToLoginRequestUrl: true
@@ -145,6 +148,7 @@ const DEFAULT_FRAMEWORK_OPTIONS: FrameworkOptions = {
  * @param TCacheOptions
  * @param TSystemOptions
  * @param TFrameworkOptions
+ * @param TAuthorityDataOptions
  *
  * @returns TConfiguration object
  */

@@ -40,6 +40,7 @@ import { Constants,
     TemporaryCacheKeys,
     PersistentCacheKeys,
     ErrorCacheKeys,
+    B2CTrustedHostList
 } from "./utils/Constants";
 import { CryptoUtils } from "./utils/CryptoUtils";
 
@@ -217,6 +218,8 @@ export class UserAgentApplication {
 
         this.telemetryManager = this.getTelemetryManagerFromConfig(this.config.system.telemetry, this.clientId);
 
+        this.setKnownAuthorities(this.config.auth.validateAuthority, this.config.auth.knownAuthorities);
+
         // if no authority is passed, set the default: "https://login.microsoftonline.com/common"
         this.authority = this.config.auth.authority || DEFAULT_AUTHORITY;
 
@@ -273,7 +276,7 @@ export class UserAgentApplication {
         // On the server 302 - Redirect, handle this
         const cachedHash = this.cacheStorage.getItem(TemporaryCacheKeys.URL_HASH);
         if (cachedHash) {
-            this.processCallBack(cachedHash, null);
+            this.processCallBack(cachedHash, null); 
         }
     }
 
@@ -2135,5 +2138,21 @@ export class UserAgentApplication {
         return new TelemetryManager(telemetryManagerConfig, telemetryEmitter);
     }
 
+    /**
+     * @hidden
+     * @ignore
+     * Use when Authority is B2C and validateAuthority is set to True to provide list of allowed domains.
+     * @param authorityType
+     * @param validateAuthority
+     * @param knownAuthorities
+     */
+    private setKnownAuthorities(validateAuthority: boolean, knownAuthorities: Array<string>): void {
+        if (validateAuthority && !Object.keys(B2CTrustedHostList).length){
+            knownAuthorities.forEach(function(authority){
+                B2CTrustedHostList[authority] = authority;
+            });
+        }
+    }
+
     // #endregion
 }
@@ -41,17 +41,17 @@ export abstract class Authority {
 
     public get AuthorizationEndpoint(): string {
         this.validateResolved();
-        return this.tenantDiscoveryResponse.AuthorizationEndpoint.replace("{tenant}", this.Tenant);
+        return this.tenantDiscoveryResponse.AuthorizationEndpoint.replace(/{tenant}|{tenantid}/g, this.Tenant);
     }
 
     public get EndSessionEndpoint(): string {
         this.validateResolved();
-        return this.tenantDiscoveryResponse.EndSessionEndpoint.replace("{tenant}", this.Tenant);
+        return this.tenantDiscoveryResponse.EndSessionEndpoint.replace(/{tenant}|{tenantid}/g, this.Tenant);
     }
 
     public get SelfSignedJwtAudience(): string {
         this.validateResolved();
-        return this.tenantDiscoveryResponse.Issuer.replace("{tenant}", this.Tenant);
+        return this.tenantDiscoveryResponse.Issuer.replace(/{tenant}|{tenantid}/g, this.Tenant);
     }
 
     private validateResolved() {

@@ -9,25 +9,31 @@
 import { AadAuthority } from "./AadAuthority";
 import { B2cAuthority } from "./B2cAuthority";
 import { Authority, AuthorityType } from "./Authority";
-import { ClientConfigurationErrorMessage } from "../error/ClientConfigurationError";
-import { UrlUtils } from "../utils/UrlUtils";
 import { StringUtils } from "../utils/StringUtils";
+import { UrlUtils } from "../utils/UrlUtils";
+import { ClientConfigurationError } from "../error/ClientConfigurationError";
+import { B2CTrustedHostList } from "../utils/Constants";
 
 export class AuthorityFactory {
+
     /**
      * Parse the url and determine the type of authority
      */
-    private static DetectAuthorityFromUrl(authorityUrl: string): AuthorityType {
+    private static detectAuthorityFromUrl(authorityUrl: string): AuthorityType {
         authorityUrl = UrlUtils.CanonicalizeUri(authorityUrl);
         const components = UrlUtils.GetUrlComponents(authorityUrl);
         const pathSegments = components.PathSegments;
-        switch (pathSegments[0]) {
-            case "tfp":
-                return AuthorityType.B2C;
-            default:
-                return AuthorityType.Aad;
+
+        if (pathSegments[0] === "adfs") {
+            return AuthorityType.Adfs;
         }
-    }
+        else if (Object.keys(B2CTrustedHostList).length) {
+            return AuthorityType.B2C;
+        }
+
+        // Defaults to Aad
+        return AuthorityType.Aad;
+    }	    
 
     /**
      * Create an authority object of the correct type based on the url
@@ -37,15 +43,15 @@ export class AuthorityFactory {
         if (StringUtils.isEmpty(authorityUrl)) {
             return null;
         }
-        const type = AuthorityFactory.DetectAuthorityFromUrl(authorityUrl);
+        const type = AuthorityFactory.detectAuthorityFromUrl(authorityUrl);
         // Depending on above detection, create the right type.
         switch (type) {
             case AuthorityType.B2C:
                 return new B2cAuthority(authorityUrl, validateAuthority);
             case AuthorityType.Aad:
                 return new AadAuthority(authorityUrl, validateAuthority);
             default:
-                throw ClientConfigurationErrorMessage.invalidAuthorityType;
+                throw ClientConfigurationError.createInvalidAuthorityTypeError();
         }
     }
 

@@ -3,26 +3,18 @@
  * Licensed under the MIT License.
  */
 
-import { AadAuthority } from "./AadAuthority";
+import { Authority } from "./Authority";
 import { AuthorityType } from "./Authority";
-import { ClientConfigurationErrorMessage } from "../error/ClientConfigurationError";
-import { UrlUtils } from "../utils/UrlUtils";
+import { ClientConfigurationError } from "../error/ClientConfigurationError";
+import { B2CTrustedHostList } from "../utils/Constants";
 
 /**
  * @hidden
  */
-export class B2cAuthority extends AadAuthority {
+export class B2cAuthority extends Authority {
     public static B2C_PREFIX: String = "tfp";
     public constructor(authority: string, validateAuthority: boolean) {
         super(authority, validateAuthority);
-        const urlComponents = UrlUtils.GetUrlComponents(authority);
-
-        const pathSegments = urlComponents.PathSegments;
-        if (pathSegments.length < 3) {
-            throw ClientConfigurationErrorMessage.b2cAuthorityUriInvalidPath;
-        }
-
-        this.CanonicalAuthority = `https://${urlComponents.HostNameAndPort}/${pathSegments[0]}/${pathSegments[1]}/${pathSegments[2]}/`;
     }
 
     public get AuthorityType(): AuthorityType {
@@ -37,6 +29,18 @@ export class B2cAuthority extends AadAuthority {
             return this.DefaultOpenIdConfigurationEndpoint;
         }
 
-        throw ClientConfigurationErrorMessage.unsupportedAuthorityValidation;
+        throw ClientConfigurationError.createUnsupportedAuthorityValidationError();
+    }
+
+    /**
+     * Checks to see if the host is in a list of trusted hosts
+     * @param {string} The host to look up
+     */
+    public IsInTrustedHostList(host: string): boolean {
+        if (this.IsValidationEnabled && !Object.keys(B2CTrustedHostList).length) {
+            throw ClientConfigurationError.createKnownAuthoritiesNotSetError();
+        }
+
+        return B2CTrustedHostList[host.toLowerCase()];
     }
 }
@@ -66,6 +66,10 @@ export const ClientConfigurationErrorMessage = {
         code: "b2c_authority_uri_invalid_path",
         desc: "The given URI for the B2C authority is invalid."
     },
+    b2cKnownAuthoritiesNotSet: {
+        code: "b2c_known_authorities_not_set",
+        desc: "Must set known authorities when validateAuthority is set to True and using B2C"
+    },
     claimsRequestParsingError: {
         code: "claims_request_parsing_error",
         desc: "Could not parse the given claims request object."
@@ -154,6 +158,21 @@ export class ClientConfigurationError extends ClientAuthError {
             ClientConfigurationErrorMessage.invalidCorrelationIdError.desc);
     }
 
+    static createKnownAuthoritiesNotSetError(): ClientConfigurationError {
+        return new ClientConfigurationError(ClientConfigurationErrorMessage.b2cKnownAuthoritiesNotSet.code,
+            ClientConfigurationErrorMessage.b2cKnownAuthoritiesNotSet.desc);
+    }
+
+    static createInvalidAuthorityTypeError(): ClientConfigurationError {
+        return new ClientConfigurationError(ClientConfigurationErrorMessage.invalidAuthorityType.code,
+            ClientConfigurationErrorMessage.invalidAuthorityType.desc);
+    }
+
+    static createUnsupportedAuthorityValidationError(): ClientConfigurationError {
+        return new ClientConfigurationError(ClientConfigurationErrorMessage.unsupportedAuthorityValidation.code,
+            ClientConfigurationErrorMessage.unsupportedAuthorityValidation.desc);
+    }
+
     static createTelemetryConfigError(config: TelemetryOptions): ClientConfigurationError {
         const { code, desc } = ClientConfigurationErrorMessage.telemetryConfigError;
         const requiredKeys = {

diff --git a/lib/msal-core/src/utils/Constants.ts b/lib/msal-core/src/utils/Constants.ts
@@ -107,6 +107,8 @@ export const AADTrustedHostList =  {
     "login.microsoftonline.us": "login.microsoftonline.us"
 };
 
+export const B2CTrustedHostList = {};
+
 /**
  * @hidden
  * SSO Types - generated to populate hints

@@ -64,9 +64,15 @@ export const TEST_CONFIG = {
     CorrelationId: "ed2a3125-a597-416f-9d12-68b9add1c268"
 };
 
+export const B2C_TEST_CONFIG = {
+    validAuthority: "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_susi",
+    MSAL_CLIENT_ID: "e760cab2-b9a1-4c0d-86fb-ff7084abd902",
+    knownAuthorities: ["fabrikamb2c.b2clogin.com"]
+};
+
 export const TEST_RESPONSE_TYPE = {
     id_token: "id_token",
     token: "token",
     id_token_token: "id_token token"
-}
+};
 
@@ -22,7 +22,7 @@ import { ITenantDiscoveryResponse } from "../src/authority/ITenantDiscoveryRespo
 import { AuthCache } from "../src/cache/AuthCache";
 import { AccessTokenKey } from "../src/cache/AccessTokenKey";
 import { AccessTokenValue } from "../src/cache/AccessTokenValue";
-import { SSOTypes, TemporaryCacheKeys, PersistentCacheKeys, ServerHashParamKeys } from "../src/utils/Constants";
+import { SSOTypes, TemporaryCacheKeys, PersistentCacheKeys, ServerHashParamKeys, B2CTrustedHostList } from "../src/utils/Constants";
 import { WindowUtils } from "../src/utils/WindowUtils";
 import { ClientAuthErrorMessage } from "../src/error/ClientAuthError";
 import { ClientConfigurationErrorMessage } from "../src/error/ClientConfigurationError";
@@ -1590,6 +1590,23 @@ describe("UserAgentApplication.ts Class", function () {
         });
     });
 
+    describe("Test Known Authorities", () => {
+        it("Sets B2CTrustedHostList with Known Authorities", () => {
+            let config: Configuration = {
+                auth: {
+                    clientId: TEST_CONFIG.MSAL_CLIENT_ID,
+                    validateAuthority: true,
+                    knownAuthorities: ['fabrikamb2c.b2clogin.com']
+                }
+            }
+            msal = new UserAgentApplication(config);
+
+            expect(B2CTrustedHostList["fabrikamb2c.b2clogin.com"]).to.be.equal("fabrikamb2c.b2clogin.com");
+            expect(Object.keys(B2CTrustedHostList)).to.have.length(1);
+
+        });
+    });
+
     describe('Logger', () => {
         it('getLogger and setLogger', done => {
             const config: Configuration = {

@@ -0,0 +1,40 @@
+import { expect } from "chai";
+import { AuthorityType } from "../../src/authority/Authority";
+import { AadAuthority } from "../../src/authority/AadAuthority";
+import { AADTrustedHostList } from "../../src/utils/Constants";
+import { TEST_CONFIG } from "../TestConstants";
+
+describe("AadAuthority.ts Class", function () {
+
+    it("tests initialization of aad authority", function() {
+        const authority = new AadAuthority(TEST_CONFIG.validAuthority, false);
+
+        expect(authority).to.be.instanceOf(AadAuthority);
+        expect(authority.AuthorityType).to.be.equal(AuthorityType.Aad);
+    });
+
+    it("tests GetOpenIdConfigurationEndpointAsync with validateAuthority false", async function () {
+        const authority = new AadAuthority(TEST_CONFIG.validAuthority, false);
+        const endpoint = await authority.GetOpenIdConfigurationEndpointAsync();
+
+        expect(endpoint).to.include("/v2.0/.well-known/openid-configuration");
+    });
+
+    it("tests GetOpenIdConfigurationEndpointAsync with validateAuthority true", async function () {
+        const authority = new AadAuthority(TEST_CONFIG.validAuthority, true);
+        const endpoint = await authority.GetOpenIdConfigurationEndpointAsync();
+
+        expect(endpoint).to.include("/v2.0/.well-known/openid-configuration");
+    });
+
+    it("tests GetOpenIdConfigurationEndpointAsync with validateAuthority true and not in trusted host list", async function () {
+
+        delete AADTrustedHostList["login.microsoftonline.com"];
+        const authority = new AadAuthority(TEST_CONFIG.validAuthority, true);
+        const endpoint = await authority.GetOpenIdConfigurationEndpointAsync();
+        AADTrustedHostList["login.microsoftonline.com"] = "login.microsoftonline.com";
+
+        expect(endpoint).to.include("/v2.0/.well-known/openid-configuration");
+    });
+
+});