Using verified tenantId to fix AAD breaking change (#1125)

Using verified tenantId to fix AAD breaking change (#1125)

Co-authored-by: Josiah Vinson <[email protected]>
Co-authored-by: Karthik Balasubramanian 👍 <[email protected]>

build/add-aad-test-environment.yml

@@ -50,4 +50,4 @@ steps:
       Import-Module $(System.DefaultWorkingDirectory)/samples/scripts/PowerShell/DicomServer.psd1
       Import-Module $(System.DefaultWorkingDirectory)/release/scripts/PowerShell/DicomServerRelease/DicomServerRelease.psd1
 
-      $output = Add-AadTestAuthEnvironment -TestAuthEnvironmentPath $(System.DefaultWorkingDirectory)/testauthenvironment.json -EnvironmentName $(deploymentName) -TenantAdminCredential $adminCredential -EnvironmentLocation $(resourceGroupRegion)
+      $output = Add-AadTestAuthEnvironment -TestAuthEnvironmentPath $(System.DefaultWorkingDirectory)/testauthenvironment.json -EnvironmentName $(deploymentName) -TenantAdminCredential $adminCredential -EnvironmentLocation $(resourceGroupRegion) -TenantIdDomain $tenantId

build/ci-variables.yml

@@ -1,6 +1,8 @@
 variables:
   deploymentName: 'dcm-ci-permanent'
   testEnvironmentUrl: 'https://$(deploymentName).azurewebsites.net/'
+  testApplicationScope: 'https://$(deploymentName).resoluteopensource.onmicrosoft.com/.default'
+  testApplicationResource: 'https://$(deploymentName).resoluteopensource.onmicrosoft.com'
   resourceGroupName: $(deploymentName)
   resourceGroupRegion: 'southcentralus'
   appServicePlanResourceGroup: 'msh-dicom-pr'

build/cleanup.yml

@@ -65,4 +65,4 @@ jobs:
         Import-Module $(System.DefaultWorkingDirectory)/samples/scripts/PowerShell/DicomServer.psd1
         Import-Module $(System.DefaultWorkingDirectory)/release/scripts/PowerShell/DicomServerRelease/DicomServerRelease.psd1
 
-        Remove-AadTestAuthEnvironment -TestAuthEnvironmentPath $(System.DefaultWorkingDirectory)/testauthenvironment.json -EnvironmentName $(deploymentName)
+        Remove-AadTestAuthEnvironment -TestAuthEnvironmentPath $(System.DefaultWorkingDirectory)/testauthenvironment.json -EnvironmentName $(deploymentName) -TenantIdDomain $tenantId

build/deploy.yml

@@ -38,7 +38,7 @@ jobs:
             additionalDicomServerConfigProperties = $additionalProperties
             sqlAdminPassword = "$(-join((((33,35,37,38,42,43,45,46,95) + (48..57) + (65..90) + (97..122) | Get-Random -Count 20) + ((33,35,37,38,42,43,45,46,95) | Get-Random -Count 1) + ((48..57) | Get-Random -Count 1) + ((65..90) | Get-Random -Count 1) + ((97..122) | Get-Random -Count 1) | Get-Random -Count 24) | % {[char]$_}))"
             securityAuthenticationAuthority = "https://login.microsoftonline.com/$(tenant-id)"
-            securityAuthenticationAudience = "$(testEnvironmentUrl)"
+            securityAuthenticationAudience = "$(testApplicationResource)"
             deployPackage = $false
         }
 

build/pr-variables.yml

@@ -2,6 +2,8 @@ variables:
   prNumber: $(system.pullRequest.pullRequestNumber)
   deploymentName: 'msh-dicom-pr-$(prNumber)'
   testEnvironmentUrl: 'https://$(deploymentName).azurewebsites.net/'
+  testApplicationScope: 'https://$(deploymentName).resoluteopensource.onmicrosoft.com/.default'
+  testApplicationResource: 'https://$(deploymentName).resoluteopensource.onmicrosoft.com'
   resourceGroupName: $(deploymentName)
   resourceGroupRegion: 'southcentralus'
   appServicePlanResourceGroup: 'msh-dicom-pr'

build/run-e2e-tests.yml

@@ -26,8 +26,8 @@ jobs:
         }
 
         Write-Host "##vso[task.setvariable variable=Resource]$(testEnvironmentUrl)"
-        Write-Host "##vso[task.setvariable variable=security_scope]$(testEnvironmentUrl)"
-        Write-Host "##vso[task.setvariable variable=security_resource]$(testEnvironmentUrl)"
+        Write-Host "##vso[task.setvariable variable=security_scope]$(testApplicationScope)"
+        Write-Host "##vso[task.setvariable variable=security_resource]$(testApplicationResource)"
         Write-Host "##vso[task.setvariable variable=security_enabled]$true"
 
         dotnet dev-certs https

release/scripts/PowerShell/DicomServerRelease/Private/SharedModuleFunctions.ps1

@@ -50,14 +50,16 @@ function Get-ServiceAudience {
     param (
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
-        [string]$EnvironmentName,
+        [string]$ServiceName,
 
         [Parameter(Mandatory = $true)]
         [ValidateNotNullOrEmpty()]
-        [string]$WebAppSuffix
+        [string]$TenantIdDomain
     )
-
-    return "https://$EnvironmentName.$WebAppSuffix/"
+    # AppId Uri in single tenant applications will require use of default scheme or verified domains
+    # It needs to be in one of the many formats mentioned in https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-breaking-changes
+    # We use the format https://<string>.<tenantIdDomain>
+    return "https://$ServiceName.$TenantIdDomain"
 }
 
 function Get-UserId { 

release/scripts/PowerShell/DicomServerRelease/Public/Add-AadTestAuthEnvironment.ps1

@@ -9,6 +9,8 @@ function Add-AadTestAuthEnvironment {
     Environment name used for the test environment. This is used throughout for making names unique.
     .PARAMETER TenantAdminCredential
     Credentials for a tenant admin user. Needed to grant admin consent to client apps.
+    .PARAMETER TenantIdDomain
+    TenantId domain ("*.onmicrosoft.com") used for creating service audience while creating AAD application.
     #>
     param
     (
@@ -27,8 +29,9 @@ function Add-AadTestAuthEnvironment {
         [ValidateNotNull()]
         [pscredential]$TenantAdminCredential,
 
-        [Parameter(Mandatory = $false )]
-        [String]$WebAppSuffix = "azurewebsites.net",
+        [Parameter(Mandatory = $true )]
+        [ValidateNotNullOrEmpty()]
+        [String]$TenantIdDomain,
 
         [Parameter(Mandatory = $false)]
         [string]$ResourceGroupName = $EnvironmentName,
@@ -98,7 +101,7 @@ function Add-AadTestAuthEnvironment {
 
     Write-Host "Ensuring API application exists"
 
-    $dicomServiceAudience = Get-ServiceAudience -EnvironmentName $EnvironmentName -WebAppSuffix $WebAppSuffix
+    $dicomServiceAudience = Get-ServiceAudience -ServiceName $EnvironmentName -TenantIdDomain $TenantIdDomain
 
     $application = Get-AzureAdApplicationByIdentifierUri $dicomServiceAudience
 

release/scripts/PowerShell/DicomServerRelease/Public/Remove-AadTestAuthEnvironment.ps1

@@ -7,6 +7,8 @@ function Remove-AadTestAuthEnvironment {
     Path for the testauthenvironment.json file
     .PARAMETER EnvironmentName
     Environment name used for the test environment. This is used throughout for making names unique.
+    .PARAMETER TenantIdDomain
+    TenantId domain ("*.onmicrosoft.com") used for creating service audience while creating AAD application.
     #>
     param
     (
@@ -18,8 +20,9 @@ function Remove-AadTestAuthEnvironment {
         [ValidateNotNullOrEmpty()]
         [string]$EnvironmentName,
 
-        [Parameter(Mandatory = $false )]
-        [String]$WebAppSuffix = "azurewebsites.net"
+        [Parameter(Mandatory = $true )]
+        [ValidateNotNullOrEmpty()]
+        [String]$TenantIdDomain
     )
 
     Set-StrictMode -Version Latest
@@ -36,7 +39,7 @@ function Remove-AadTestAuthEnvironment {
 
     $testAuthEnvironment = Get-Content -Raw -Path $TestAuthEnvironmentPath | ConvertFrom-Json
 
-    $dicomServiceAudience = Get-ServiceAudience -EnvironmentName $EnvironmentName -WebAppSuffix $WebAppSuffix
+    $dicomServiceAudience = Get-ServiceAudience -ServiceName $EnvironmentName -TenantIdDomain $TenantIdDomain
 
     $application = Get-AzureAdApplicationByIdentifierUri $dicomServiceAudience
 
@@ -64,4 +67,4 @@ function Remove-AadTestAuthEnvironment {
             Remove-AzureAdApplication -ObjectId $aadClientApplication.ObjectId | Out-Null
         }
     }
-}
+}

samples/scripts/PowerShell/Identity/New-DicomServerApiApplicationRegistration.ps1

@@ -8,14 +8,13 @@ function New-DicomServerApiApplicationRegistration {
     .EXAMPLE
     New-DicomServerApiApplicationRegistration -DicomServiceName "mydicomservice" -AppRoles admin,nurse
     .EXAMPLE
-    New-DicomServerApiApplicationRegistration -DicomServiceAudience "https://mydicomservice.azurewebsites.net" -AppRoles admin,nurse
+    New-DicomServerApiApplicationRegistration -DicomServiceAudience "https://mydicomservice.resoluteopensource.onmicrosoft.com" -AppRoles admin,nurse
     .PARAMETER DicomServiceName
     Name of the Dicom service instance. 
     .PARAMETER DicomServiceAudience
     Full URL of the Dicom service.
-    .PARAMETER WebAppSuffix
-    Will be appended to Dicom service name to form the DicomServiceAudience if one is not supplied,
-    e.g., azurewebsites.net or azurewebsites.us (for US Government cloud)
+    .PARAMETER TenantIdDomain
+    TenantId domain ("*.onmicrosoft.com") used for creating service audience while creating AAD application.
     .PARAMETER AppRoles
     Names of AppRoles to be defined in the AAD Application registration
     #>
@@ -29,8 +28,9 @@ function New-DicomServerApiApplicationRegistration {
         [ValidateNotNullOrEmpty()]
         [string]$DicomServiceAudience,
 
-        [Parameter(Mandatory = $false, ParameterSetName = 'ByDicomServiceName' )]
-        [String]$WebAppSuffix = "azurewebsites.net",
+        [Parameter(Mandatory = $true, ParameterSetName = 'ByDicomServiceName' )]
+        [ValidateNotNullOrEmpty()]
+        [String]$TenantIdDomain,
 
         [Parameter(Mandatory = $false)]
         [String[]]$AppRoles = "admin"
@@ -47,7 +47,7 @@ function New-DicomServerApiApplicationRegistration {
     }
 
     if ([string]::IsNullOrEmpty($DicomServiceAudience)) {
-        $DicomServiceAudience = "https://$DicomServiceName.$WebAppSuffix"
+        $DicomServiceAudience = Get-ServiceAudience -ServiceName $DicomServiceName -TenantIdDomain $TenantIdDomain
     }
 
     $desiredAppRoles = @()