Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MsalProvider.cs ctors convert scope strings to lowercase but should not do that! #185

Open
tnsturm opened this issue Feb 10, 2022 · 1 comment
Labels
Area: Providers bug 🐛 Something isn't working

Comments

@tnsturm
Copy link

tnsturm commented Feb 10, 2022

Toolkit Version 7.1.1

MsalProvider.cs Contructors convert the scope arrays to lowercase:

Scopes = scopes.Select(s => s.ToLower()).ToArray() ?? new string[] { string.Empty };

It should not do this because OpenID specs define scopes as CASE SENSITIVE.
https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
"Multiple scope values MAY be used by creating a space delimited, case sensitive list of ASCII scope values."

https://tools.ietf.org/html/rfc6749#section-3.3
"The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings. The strings are defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope."

I'm running an .NET Core 6 Azure Web App Api with an case sensitive scope in the AAD app registration. Using standard MSAL PublicClientApplication runs fine with that. Using the MsalProvider wrapper of the community toolkit breaks this, because the "lowercased" scope is not accepted by Microsoft.IdentityModel.Tokens.SecurityToken:

IDX10214: Audience validation failed. Audiences: 'https://abce.de/webapp-abcd.azurewebsites.net'. Did not match: validationParameters.ValidAudience: 'https://abce.de/WebApp-abce.azurewebsites.net'

Please not the uppercase 'W' in the scope.

Earlier versions of MSAL also had that bug and fixed it:
AzureAD/microsoft-authentication-library-for-objc#395
AzureAD/microsoft-authentication-library-for-js#1922

Best Regards,
Torsten

@tnsturm tnsturm added the bug 🐛 Something isn't working label Feb 10, 2022
@ghost ghost added the needs triage 🔍 label Feb 10, 2022
@ghost
Copy link

ghost commented Feb 10, 2022

Hello tnsturm, thank you for opening an issue with us!

I have automatically added a "needs triage" label to help get things started. Our team will analyze and investigate the issue, and escalate it to the relevant team if possible. Other community members may also look into the issue and provide feedback 🙌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: Providers bug 🐛 Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants