AzureAD · shylasummers · Aug 1, 2023 · Jul 21, 2023 · Jul 24, 2023 · Jul 25, 2023
diff --git a/change/@azure-msal-common-7e065849-b972-405d-ab85-674138d67aa2.json b/change/@azure-msal-common-7e065849-b972-405d-ab85-674138d67aa2.json
@@ -0,0 +1,7 @@
+{
+  "type": "prerelease",
+  "comment": "Append v2 to endpoint when using a Microsoft authority under OIDC protocol mode",
+  "packageName": "@azure/msal-common",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
@@ -21,6 +21,7 @@ import {
 import {
     EndpointMetadata,
     InstanceDiscoveryMetadata,
+    InstanceDiscoveryMetadataAliases,
 } from "./AuthorityMetadata";
 import { ClientConfigurationError } from "../error/ClientConfigurationError";
 import { ProtocolMode } from "./ProtocolMode";
@@ -352,9 +353,10 @@ export class Authority {
      * The default open id configuration endpoint for any canonical authority.
      */
     protected get defaultOpenIdConfigurationEndpoint(): string {
+        const canonicalAuthorityHost = this.hostnameAndPort;
         if (
             this.authorityType === AuthorityType.Adfs ||
-            this.protocolMode === ProtocolMode.OIDC
+            !this.isAliasOfKnownMicrosoftAuthority(canonicalAuthorityHost)
         ) {
             return `${this.canonicalAuthority}.well-known/openid-configuration`;
         }
@@ -1100,6 +1102,14 @@ export class Authority {
         return this.metadata.aliases.indexOf(host) > -1;
     }
 
+    /**
+     * Returns whether or not the provided host is an alias of a known Microsoft authority for purposes of endpoint discovery
+     * @param host
+     */
+    isAliasOfKnownMicrosoftAuthority(host: string): boolean {
+        return InstanceDiscoveryMetadataAliases.has(host);
+    }
+
     /**
      * Checks whether the provided host is that of a public cloud authority
      *

@@ -942,3 +942,12 @@ export const rawMetdataJSON = {
 export const EndpointMetadata = rawMetdataJSON.endpointMetadata;
 export const InstanceDiscoveryMetadata =
     rawMetdataJSON.instanceDiscoveryMetadata;
+
+export const InstanceDiscoveryMetadataAliases: Set<String> = new Set();
+for (const key in InstanceDiscoveryMetadata) {
+    for (const metadata of InstanceDiscoveryMetadata[key].metadata) {
+        for (const alias of metadata.aliases) {
+            InstanceDiscoveryMetadataAliases.add(alias);
+        }
+    }
+}
@@ -101,10 +101,6 @@ export const ClientConfigurationErrorMessage = {
         code: "invalid_authentication_header",
         desc: "Invalid authentication header provided",
     },
-    cannotSetOIDCProtocolMode: {
-        code: "cannot_set_OIDC_protocol_mode",
-        desc: "Cannot use OIDC Protocol Mode when using a known Microsoft authority.",
-    },
     cannotSetOIDCOptions: {
         code: "cannot_set_OIDCOptions",
         desc: "Cannot set OIDCOptions parameter. Please change the protocol mode to OIDC or use a non-Microsoft authority.",
@@ -368,16 +364,6 @@ export class ClientConfigurationError extends ClientAuthError {
         );
     }
 
-    /**
-     * Throws error when using OIDC protocol mode with a known Microsoft authority
-     */
-    static createCannotSetOIDCProtocolModeError(): ClientConfigurationError {
-        return new ClientConfigurationError(
-            ClientConfigurationErrorMessage.cannotSetOIDCProtocolMode.code,
-            ClientConfigurationErrorMessage.cannotSetOIDCProtocolMode.desc
-        );
-    }
-
     /**
      * Throws error when provided non-default OIDCOptions when not in OIDC protocol mode
      */

@@ -2569,7 +2569,38 @@ describe("Authority.ts Class Unit Tests", () => {
             );
         });
 
-        it("OIDC ProtocolMode does not append v2 to endpoint", async () => {
+        it("Does not append v2 to endpoint when not using a known Microsoft authority", async () => {
+            const authorityUrl = "https://test.com/";
+            let endpoint = "";
+            const options = {
+                protocolMode: ProtocolMode.OIDC,
+                knownAuthorities: ["https://test.com"],
+                cloudDiscoveryMetadata: "",
+                authorityMetadata: "",
+            };
+            authority = new Authority(
+                authorityUrl,
+                networkInterface,
+                mockStorage,
+                options,
+                logger
+            );
+            jest.spyOn(
+                networkInterface,
+                <any>"sendGetRequestAsync"
+            ).mockImplementation((openIdConfigEndpoint) => {
+                // @ts-ignore
+                endpoint = openIdConfigEndpoint;
+                return DEFAULT_OPENID_CONFIG_RESPONSE;
+            });
+
+            await authority.resolveEndpointsAsync();
+            expect(endpoint).toBe(
+                `${authorityUrl}.well-known/openid-configuration`
+            );
+        });
+
+        it("Does append v2 to endpoint when using a known Microsoft authority", async () => {
             const authorityUrl = "https://login.microsoftonline.com/";
             let endpoint = "";
             const options = {
@@ -2596,7 +2627,7 @@ describe("Authority.ts Class Unit Tests", () => {
 
             await authority.resolveEndpointsAsync();
             expect(endpoint).toBe(
-                `${authorityUrl}.well-known/openid-configuration`
+                `${authorityUrl}v2.0/.well-known/openid-configuration`
             );
         });
     });