diff --git a/src/Microsoft.AspNetCore.Authentication.AzureAD.UI/AzureADOptions.cs b/src/Microsoft.AspNetCore.Authentication.AzureAD.UI/AzureADOptions.cs
index 89a8a84..104e6f5 100644
--- a/src/Microsoft.AspNetCore.Authentication.AzureAD.UI/AzureADOptions.cs
+++ b/src/Microsoft.AspNetCore.Authentication.AzureAD.UI/AzureADOptions.cs
@@ -30,29 +30,47 @@ public class AzureADOptions
public string JwtBearerSchemeName { get; internal set; }
///
- /// Gets or sets the client Id.
+ /// Gets or sets the client Id (Application Id) of the Azure AD application
///
public string ClientId { get; set; }
///
- /// Gets or sets the client secret.
+ /// Gets or sets the audience for this Web Application or Web API (This audience needs
+ /// to match the audience of the tokens sent to access this application)
///
+ public string Audience { get; set; } = "api://{ClientId}";
+
+ ///
+ /// Gets or sets the client secret for the application
+ ///
+ /// The client secret is only used if the Web app or Web API calls a Web
+ /// API
public string ClientSecret { get; set; }
///
- /// Gets or sets the tenant Id.
+ /// Gets or sets the tenant. The tenant can have one of the following values:
+ ///
+ /// - a tenant IDA GUID representing the ID of the Azure Active Directory Tenant
+ /// - a domainassociated with Azure Active Directory
+ /// - commonif the is Azure AD v2.0, enables to sign-in users from any
+ /// Work and School account or Microsoft Personal Account. If Authority is Azure AD v1.0, enables sign-in from any Work and School accounts
+ /// - organizationsif the is Azure AD v2.0, enables to sign-in users from any
+ /// Work and School account
+ /// - consumersif the is Azure AD v2.0, enables to sign-in users from any
+ /// Microsoft personal account
+ ///
///
- public string TenantId { get; set; }
+ public string Tenant { get; set; } = "common";
///
/// Gets or sets the Azure Active Directory instance.
///
- public string Instance { get; set; }
+ public string Instance { get; set; } = "https://login.microsoftonline.com";
///
- /// Gets or sets the domain of the Azure Active Directory tennant.
+ /// Azure AD Authority.
///
- public string Domain { get; set; }
+ public string Authority { get; set; } = "https://{Instance}/{Tenant}/v2.0";
///
/// Gets or sets the sign in callback path.
diff --git a/src/Microsoft.AspNetCore.Authentication.AzureAD.UI/JwtBearerOptionsConfiguration.cs b/src/Microsoft.AspNetCore.Authentication.AzureAD.UI/JwtBearerOptionsConfiguration.cs
index 5754ee3..90cec1a 100644
--- a/src/Microsoft.AspNetCore.Authentication.AzureAD.UI/JwtBearerOptionsConfiguration.cs
+++ b/src/Microsoft.AspNetCore.Authentication.AzureAD.UI/JwtBearerOptionsConfiguration.cs
@@ -30,8 +30,12 @@ public void Configure(string name, JwtBearerOptions options)
return;
}
- options.Audience = azureADOptions.ClientId;
- options.Authority = new Uri(new Uri(azureADOptions.Instance), azureADOptions.TenantId).ToString();
+ string audienceFormat = azureADOptions.Authority.Replace("{ClientId}", "{0}");
+ options.Audience = string.Format(audienceFormat, azureADOptions.ClientId);
+
+ string authorityFormat = azureADOptions.Authority.Replace("{Instance}", "{0}").Replace("{Tenant}", "{1}") ;
+ options.Authority = string.Format(authorityFormat, azureADOptions.Instance, azureADOptions.Tenant);
+
}
public void Configure(JwtBearerOptions options)
diff --git a/src/Microsoft.AspNetCore.Authentication.AzureAD.UI/OpenIdConnectOptionsConfiguration.cs b/src/Microsoft.AspNetCore.Authentication.AzureAD.UI/OpenIdConnectOptionsConfiguration.cs
index 57ca132..9b6b5b0 100644
--- a/src/Microsoft.AspNetCore.Authentication.AzureAD.UI/OpenIdConnectOptionsConfiguration.cs
+++ b/src/Microsoft.AspNetCore.Authentication.AzureAD.UI/OpenIdConnectOptionsConfiguration.cs
@@ -29,7 +29,8 @@ public void Configure(string name, OpenIdConnectOptions options)
options.ClientId = azureADOptions.ClientId;
options.ClientSecret = azureADOptions.ClientSecret;
- options.Authority = new Uri(new Uri(azureADOptions.Instance), azureADOptions.TenantId).ToString();
+ string authorityFormat = azureADOptions.Authority.Replace("{Instance}", "{0}").Replace("{Tenant}", "{1}");
+ options.Authority = string.Format(authorityFormat, azureADOptions.Instance, azureADOptions.Tenant);
options.CallbackPath = azureADOptions.CallbackPath ?? options.CallbackPath;
options.SignedOutCallbackPath = azureADOptions.SignedOutCallbackPath ?? options.SignedOutCallbackPath;
options.SignInScheme = azureADOptions.CookieSchemeName;
diff --git a/test/Microsoft.AspNetCore.Authentication.AzureAD.FunctionalTests/ApiAuthenticationTests.cs b/test/Microsoft.AspNetCore.Authentication.AzureAD.FunctionalTests/ApiAuthenticationTests.cs
index 1bd9718..33f899b 100644
--- a/test/Microsoft.AspNetCore.Authentication.AzureAD.FunctionalTests/ApiAuthenticationTests.cs
+++ b/test/Microsoft.AspNetCore.Authentication.AzureAD.FunctionalTests/ApiAuthenticationTests.cs
@@ -35,9 +35,8 @@ public async Task BearerAzureAD_Challenges_UnauthorizedRequests()
.AddAzureADBearer(o =>
{
o.Instance = "https://login.microsoftonline.com/";
- o.Domain = "test.onmicrosoft.com";
+ o.Tenant= "test.onmicrosoft.com";
o.ClientId = "ClientId";
- o.TenantId = "TenantId";
});
services.Configure(AzureADDefaults.JwtBearerAuthenticationScheme, o =>
diff --git a/test/Microsoft.AspNetCore.Authentication.AzureAD.FunctionalTests/WebAuthenticationTests.cs b/test/Microsoft.AspNetCore.Authentication.AzureAD.FunctionalTests/WebAuthenticationTests.cs
index dc8e5f8..8220665 100644
--- a/test/Microsoft.AspNetCore.Authentication.AzureAD.FunctionalTests/WebAuthenticationTests.cs
+++ b/test/Microsoft.AspNetCore.Authentication.AzureAD.FunctionalTests/WebAuthenticationTests.cs
@@ -77,9 +77,8 @@ public async Task ADEndpoints_AreAvailable_When_Authentication_IsAdded(string en
.AddAzureAD(o =>
{
o.Instance = "https://login.microsoftonline.com/";
- o.Domain = "test.onmicrosoft.com";
+ o.Tenant = "test.onmicrosoft.com";
o.ClientId = "ClientId";
- o.TenantId = "TenantId";
});
services.Configure(AzureADDefaults.OpenIdScheme, o =>
diff --git a/test/Microsoft.AspNetCore.Authentication.AzureAD.UI.Test/AzureADAuthenticationBuilderExtensionsTests.cs b/test/Microsoft.AspNetCore.Authentication.AzureAD.UI.Test/AzureADAuthenticationBuilderExtensionsTests.cs
index a5bf4d6..af415e0 100644
--- a/test/Microsoft.AspNetCore.Authentication.AzureAD.UI.Test/AzureADAuthenticationBuilderExtensionsTests.cs
+++ b/test/Microsoft.AspNetCore.Authentication.AzureAD.UI.Test/AzureADAuthenticationBuilderExtensionsTests.cs
@@ -49,8 +49,7 @@ public void AddAzureAD_ConfiguresAllOptions()
o.ClientId = "ClientId";
o.ClientSecret = "ClientSecret";
o.CallbackPath = "/signin-oidc";
- o.Domain = "domain.onmicrosoft.com";
- o.TenantId = "Common";
+ o.Tenant = "common";
});
var provider = services.BuildServiceProvider();
@@ -64,7 +63,7 @@ public void AddAzureAD_ConfiguresAllOptions()
Assert.Equal("ClientId", azureADOptions.ClientId);
Assert.Equal("ClientSecret", azureADOptions.ClientSecret);
Assert.Equal("/signin-oidc", azureADOptions.CallbackPath);
- Assert.Equal("domain.onmicrosoft.com", azureADOptions.Domain);
+ Assert.Equal("common", azureADOptions.Tenant);
var openIdOptionsMonitor = provider.GetService>();
Assert.NotNull(openIdOptionsMonitor);
@@ -176,8 +175,7 @@ public void AddAzureADBearer_ConfiguresAllOptions()
o.Instance = "https://login.microsoftonline.com/";
o.ClientId = "ClientId";
o.CallbackPath = "/signin-oidc";
- o.Domain = "domain.onmicrosoft.com";
- o.TenantId = "TenantId";
+ o.Tenant = "domain.onmicrosoft.com";
});
var provider = services.BuildServiceProvider();
@@ -188,7 +186,7 @@ public void AddAzureADBearer_ConfiguresAllOptions()
Assert.Equal(AzureADDefaults.JwtBearerAuthenticationScheme, options.JwtBearerSchemeName);
Assert.Equal("https://login.microsoftonline.com/", options.Instance);
Assert.Equal("ClientId", options.ClientId);
- Assert.Equal("domain.onmicrosoft.com", options.Domain);
+ Assert.Equal("domain.onmicrosoft.com", options.Tenant);
var bearerOptionsMonitor = provider.GetService>();
Assert.NotNull(bearerOptionsMonitor);