Ensure TenantIdResolver performs case-insensitive tenant ID comparisons (#51694)

Copilot · web-flow · commit c3d443c7c975 · 2025-08-05T17:52:27.000Z
diff --git a/sdk/identity/Azure.Identity/CHANGELOG.md b/sdk/identity/Azure.Identity/CHANGELOG.md
@@ -17,6 +17,8 @@
 
 ### Bugs Fixed
 
+- Tenant ID comparisons in credential options are now case-insensitive. This affects `AdditionallyAllowedTenants` values which will now be matched against tenant IDs without case sensitivity, making the authentication more resilient to case differences in tenant IDs returned from WWW-Authenticate challenges ([#51693](https://github.com/Azure/azure-sdk-for-net/issues/51693)).
+
 ### Other Changes
 
 - Added the `EditorBrowsable(Never)` attribute to property `VisualStudioCodeTenantId` as `TenantId` is preferred. The `VisualStudioCodeTenantId` property exists only to provide backwards compatibility.
diff --git a/sdk/identity/Azure.Identity/src/TenantIdResolver.cs b/sdk/identity/Azure.Identity/src/TenantIdResolver.cs
@@ -21,9 +21,9 @@ public override string Resolve(string explicitTenantId, TokenRequestContext cont
         {
             bool disableMultiTenantAuth = IdentityCompatSwitches.DisableTenantDiscovery;
 
-            if (context.TenantId != explicitTenantId && context.TenantId != null && explicitTenantId != null)
+            if (!string.Equals(context.TenantId, explicitTenantId, StringComparison.OrdinalIgnoreCase) && context.TenantId != null && explicitTenantId != null)
             {
-                if (disableMultiTenantAuth || explicitTenantId == Constants.AdfsTenantId)
+                if (disableMultiTenantAuth || string.Equals(explicitTenantId, Constants.AdfsTenantId, StringComparison.OrdinalIgnoreCase))
                 {
                     AzureIdentityEventSource.Singleton.TenantIdDiscoveredAndNotUsed(explicitTenantId, context.TenantId);
                 }
@@ -36,11 +36,11 @@ public override string Resolve(string explicitTenantId, TokenRequestContext cont
             string resolvedTenantId = disableMultiTenantAuth switch
             {
                 true => explicitTenantId,
-                false when explicitTenantId == Constants.AdfsTenantId => explicitTenantId,
+                false when string.Equals(explicitTenantId, Constants.AdfsTenantId, StringComparison.OrdinalIgnoreCase) => explicitTenantId,
                 _ => context.TenantId ?? explicitTenantId
             };
 
-            if (explicitTenantId != null && resolvedTenantId != explicitTenantId && additionallyAllowedTenantIds != AllTenants && Array.BinarySearch(additionallyAllowedTenantIds, resolvedTenantId, StringComparer.OrdinalIgnoreCase) < 0)
+            if (explicitTenantId != null && !string.Equals(resolvedTenantId, explicitTenantId, StringComparison.OrdinalIgnoreCase) && additionallyAllowedTenantIds != AllTenants && Array.BinarySearch(additionallyAllowedTenantIds, resolvedTenantId, StringComparer.OrdinalIgnoreCase) < 0)
             {
                 throw new AuthenticationFailedException($"The current credential is not configured to acquire tokens for tenant {resolvedTenantId}. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add \"*\" to AdditionallyAllowedTenants to allow acquiring tokens for any tenant. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/multitenant/troubleshoot");
             }
diff --git a/sdk/identity/Azure.Identity/tests/TenantIdResolverTests.cs b/sdk/identity/Azure.Identity/tests/TenantIdResolverTests.cs
@@ -109,5 +109,64 @@ public static void AssertAllowedTenantIdsEnforcedAsync(string tenantId, TokenReq
                 StringAssert.Contains($"The current credential is not configured to acquire tokens for tenant {tokenRequestContext.TenantId}", ex.Message);
             }
         }
+
+        [Test]
+        public void ResolveWithCaseInsensitiveTenantIdComparison()
+        {
+            const string upperCaseTenantId = "CLIENT-TENANT";
+            const string lowerCaseTenantId = "client-tenant";
+            const string mixedCaseTenantId = "Client-Tenant";
+
+            var contextWithUpperCase = new TokenRequestContext(Array.Empty<string>(), tenantId: upperCaseTenantId);
+            var contextWithLowerCase = new TokenRequestContext(Array.Empty<string>(), tenantId: lowerCaseTenantId);
+            var contextWithMixedCase = new TokenRequestContext(Array.Empty<string>(), tenantId: mixedCaseTenantId);
+
+            // Test that different case variations of the same tenant ID are considered equal
+            var result1 = TenantIdResolverBase.Default.Resolve(lowerCaseTenantId, contextWithUpperCase, TenantIdResolverBase.AllTenants);
+            var result2 = TenantIdResolverBase.Default.Resolve(upperCaseTenantId, contextWithLowerCase, TenantIdResolverBase.AllTenants);
+            var result3 = TenantIdResolverBase.Default.Resolve(mixedCaseTenantId, contextWithLowerCase, TenantIdResolverBase.AllTenants);
+
+            // All should resolve to the context tenant ID as that takes precedence
+            Assert.AreEqual(upperCaseTenantId, result1);
+            Assert.AreEqual(lowerCaseTenantId, result2);
+            Assert.AreEqual(lowerCaseTenantId, result3);
+        }
+
+        [Test]
+        public void ResolveWithCaseInsensitiveAdfsTenantId()
+        {
+            const string upperCaseAdfs = "ADFS";
+            const string mixedCaseAdfs = "Adfs";
+            const string lowerCaseAdfs = "adfs";
+
+            var contextWithHint = new TokenRequestContext(Array.Empty<string>(), tenantId: "some-hint");
+
+            // Test that different case variations of ADFS are all recognized
+            var result1 = TenantIdResolverBase.Default.Resolve(upperCaseAdfs, contextWithHint, TenantIdResolverBase.AllTenants);
+            var result2 = TenantIdResolverBase.Default.Resolve(mixedCaseAdfs, contextWithHint, TenantIdResolverBase.AllTenants);
+            var result3 = TenantIdResolverBase.Default.Resolve(lowerCaseAdfs, contextWithHint, TenantIdResolverBase.AllTenants);
+
+            // For ADFS, the explicit tenant ID should be returned regardless of case
+            Assert.AreEqual(upperCaseAdfs, result1);
+            Assert.AreEqual(mixedCaseAdfs, result2);
+            Assert.AreEqual(lowerCaseAdfs, result3);
+        }
+
+        [Test]
+        public void ResolveWithCaseInsensitiveComparisonForAllowedTenants()
+        {
+            const string explicitTenantId = "explicit-tenant";
+            const string upperCaseContextTenant = "CONTEXT-TENANT";
+            const string lowerCaseContextTenant = "context-tenant";
+
+            var contextWithUpperCase = new TokenRequestContext(Array.Empty<string>(), tenantId: upperCaseContextTenant);
+            var additionallyAllowedTenants = new[] { lowerCaseContextTenant };
+
+            // The context tenant ID (uppercase) should be allowed because it matches
+            // the additionally allowed tenant (lowercase) in a case-insensitive manner
+            var result = TenantIdResolverBase.Default.Resolve(explicitTenantId, contextWithUpperCase, additionallyAllowedTenants);
+
+            Assert.AreEqual(upperCaseContextTenant, result);
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -21,9 +21,9 @@ public override string Resolve(string explicitTenantId, TokenRequestContext cont`
`21`	`21`	`{`
`22`	`22`	`bool disableMultiTenantAuth = IdentityCompatSwitches.DisableTenantDiscovery;`
`23`	`23`
`24`		`- if (context.TenantId != explicitTenantId && context.TenantId != null && explicitTenantId != null)`
	`24`	`+ if (!string.Equals(context.TenantId, explicitTenantId, StringComparison.OrdinalIgnoreCase) && context.TenantId != null && explicitTenantId != null)`
`25`	`25`	`{`
`26`		`- if (disableMultiTenantAuth \|\| explicitTenantId == Constants.AdfsTenantId)`
	`26`	`+ if (disableMultiTenantAuth \|\| string.Equals(explicitTenantId, Constants.AdfsTenantId, StringComparison.OrdinalIgnoreCase))`
`27`	`27`	`{`
`28`	`28`	`AzureIdentityEventSource.Singleton.TenantIdDiscoveredAndNotUsed(explicitTenantId, context.TenantId);`
`29`	`29`	`}`
`@@ -36,11 +36,11 @@ public override string Resolve(string explicitTenantId, TokenRequestContext cont`
`36`	`36`	`string resolvedTenantId = disableMultiTenantAuth switch`
`37`	`37`	`{`
`38`	`38`	`true => explicitTenantId,`
`39`		`- false when explicitTenantId == Constants.AdfsTenantId => explicitTenantId,`
	`39`	`+ false when string.Equals(explicitTenantId, Constants.AdfsTenantId, StringComparison.OrdinalIgnoreCase) => explicitTenantId,`
`40`	`40`	`_ => context.TenantId ?? explicitTenantId`
`41`	`41`	`};`
`42`	`42`
`43`		`- if (explicitTenantId != null && resolvedTenantId != explicitTenantId && additionallyAllowedTenantIds != AllTenants && Array.BinarySearch(additionallyAllowedTenantIds, resolvedTenantId, StringComparer.OrdinalIgnoreCase) < 0)`
	`43`	`+ if (explicitTenantId != null && !string.Equals(resolvedTenantId, explicitTenantId, StringComparison.OrdinalIgnoreCase) && additionallyAllowedTenantIds != AllTenants && Array.BinarySearch(additionallyAllowedTenantIds, resolvedTenantId, StringComparer.OrdinalIgnoreCase) < 0)`
`44`	`44`	`{`
`45`	`45`	`throw new AuthenticationFailedException($"The current credential is not configured to acquire tokens for tenant {resolvedTenantId}. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add \"*\" to AdditionallyAllowedTenants to allow acquiring tokens for any tenant. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/multitenant/troubleshoot");`
`46`	`46`	`}`