Call user_info endpoint for AAD guest scenarios

[jennyf19]

Why?

TokenAcquistion.cs has hacks to try to guess guest scenarios. In the case of guest scenarios the home tenant ID, home object id is different from the tenantID, object ID which are provided in the IDToken. But we don't have today the home tid/oid information, and therefore we don't know that this is a guest user.
MSAL.NET uses the home tenant information, and therefore in the guest scenarios we don't find find the tokens in the cache today (I believe UniqueObjectIdentifier)

microsoft-identity-web/src/Microsoft.Identity.Web/TokenAcquisition.cs

Lines 403 to 412 in 7293921

	// Special case for guest users as the Guest oid / tenant id are not surfaced.
	// B2C should not follow this logic since loginHint is not present
	if (!_microsoftIdentityOptions.IsB2C && account == null)
	{
	if (loginHint == null)
	throw new ArgumentNullException(nameof(loginHint));
	var accounts = await application.GetAccountsAsync().ConfigureAwait(false);
	account = accounts.FirstOrDefault(a => a.Username == loginHint);
	}

and

microsoft-identity-web/src/Microsoft.Identity.Web/TokenAcquisition.cs

Lines 297 to 308 in 7293921

	// Workaround for the guest account
	if (account == null)
	{
	var accounts = await app.GetAccountsAsync().ConfigureAwait(false);
	account = accounts.FirstOrDefault(a => a.Username == user.GetLoginHint());
	}
	if (account != null)
	{
	await app.RemoveAsync(account).ConfigureAwait(false);
	_tokenCacheProvider?.ClearAsync().ConfigureAwait(false);
	}

The hypothesis is that we'd want to call the User info endpoint not only for B2C, but also AAD, and get the home tenant ID, home iod, instead of the hack.

What ?

• Like we do w/B2C, call the user_info endpoint for AAD guest scenarios. Today we test for B2C. We probably want to do the same or similar for AAD.

  microsoft-identity-web/src/Microsoft.Identity.Web/WebAppAuthenticationBuilderExtensions.cs

  Lines 141 to 148 in dbb91d6

  	if (microsoftIdentityOptions.IsB2C)
  	{
  	context.ProtocolMessage.SetParameter("client_info", "1");
  	// When a new Challenge is returned using any B2C user flow different than susi, we must change
  	// the ProtocolMessage.IssuerAddress to the desired user flow otherwise the redirect would use the susi user flow
  	await b2cOidcHandlers.OnRedirectToIdentityProvider(context).ConfigureAwait(false);
  	}

• probably (to be checked) change the GetMsalId method to use the home tenant information?

microsoft-identity-web/src/Microsoft.Identity.Web/ClaimsPrincipalExtensions.cs

Line 19 in 2739123

public static string GetMsalAccountId(this ClaimsPrincipal claimsPrincipal)

• if this is successful, remove the hacks?

How to test?

• Guest scenarios are only available in single tenant applications (audience = MyOrg). therefore the tenant Id in the config file should be a guid (not common or organizations). This sample could be used https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-1-Call-MSGraph with the msidentitytesting tenant signing-in with corporate accounts (as it only requires user.read, which is allowed in the corp tenant).

Otherwise we could add an hotmail account in a test tenant. Alternatively the identity lab will have guest accounts.

[jmprieur]

@jennyf19 this would be a good one to take if other issues are not fully spec-ed

[jennyf19]

In 0.1.4-preview release