Skip to content

Ensure TenantIdResolver performs case-insensitive tenant ID comparisons #51694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 5, 2025
Merged

Ensure TenantIdResolver performs case-insensitive tenant ID comparisons #51694

merged 3 commits into from
Aug 5, 2025

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Aug 4, 2025
edited
Loading

This PR updates the TenantIdResolver to perform case-insensitive tenant ID comparisons, making it more resilient to odd casing that may come from WWW-Authenticate challenges.

Problem

The TenantIdResolver.Resolve method was performing case-sensitive comparisons when validating and resolving tenant IDs. This could cause issues when tenant ID values returned from WWW-Authenticate challenges have different casing than expected.

Solution

Updated all string comparisons in TenantIdResolver.cs to use StringComparison.OrdinalIgnoreCase:

  1. Context vs Explicit Tenant Comparison (line 24): Changed context.TenantId != explicitTenantId to use case-insensitive comparison
  2. ADFS Tenant Detection (lines 26 & 39): Changed explicitTenantId == Constants.AdfsTenantId comparisons to be case-insensitive
  3. Resolved vs Explicit Tenant Check (line 43): Changed resolvedTenantId != explicitTenantId to use case-insensitive comparison

Testing

Added comprehensive test coverage with three new test methods:

  • ResolveWithCaseInsensitiveTenantIdComparison: Verifies mixed case tenant IDs are handled correctly
  • ResolveWithCaseInsensitiveAdfsTenantId: Tests that ADFS tenant ID detection works with various casings (ADFS, adfs, Adfs)
  • ResolveWithCaseInsensitiveComparisonForAllowedTenants: Ensures case-insensitive matching against additionally allowed tenants

All existing tests continue to pass, confirming no regressions were introduced.

Example

Previously, these would be treated as different tenants:

// Case-sensitive comparison would fail
var context = new TokenRequestContext(scopes, tenantId: "TENANT-ID");
resolver.Resolve("tenant-id", context, allowedTenants); // Would not match

// ADFS detection would fail with different casing
resolver.Resolve("ADFS", context, allowedTenants); // Would not be recognized as ADFS

Now these comparisons work correctly regardless of casing differences.

Fixes #51693.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@Copilot Copilot AI changed the title [WIP] Ensure that TenantIdResolver does tenantId comparisons without case sensitivity Ensure TenantIdResolver performs case-insensitive tenant ID comparisons Aug 4, 2025
@Copilot Copilot AI requested a review from christothes August 4, 2025 23:16
Copilot finished work on behalf of christothes August 4, 2025 23:16
christothes
christothes reviewed Aug 4, 2025
View reviewed changes
@Copilot Copilot AI requested a review from christothes August 4, 2025 23:28
Copilot finished work on behalf of christothes August 4, 2025 23:28
@christothes christothes marked this pull request as ready for review August 4, 2025 23:38
@Copilot Copilot AI review requested due to automatic review settings August 4, 2025 23:39
@christothes christothes requested review from JonathanCrd and a team as code owners August 4, 2025 23:39
Copilot
Copilot AI reviewed Aug 4, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the TenantIdResolver to perform case-insensitive tenant ID comparisons, making authentication more resilient to casing differences that may occur in WWW-Authenticate challenges.

  • Updated all string comparisons in TenantIdResolver.cs to use StringComparison.OrdinalIgnoreCase
  • Added comprehensive test coverage with three new test methods to verify case-insensitive behavior
  • Updated the changelog to document the bug fix

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
sdk/identity/Azure.Identity/src/TenantIdResolver.cs Updated four string comparison operations to use case-insensitive comparison
sdk/identity/Azure.Identity/tests/TenantIdResolverTests.cs Added three new test methods to verify case-insensitive tenant ID handling
sdk/identity/Azure.Identity/CHANGELOG.md Added entry documenting the case-insensitive tenant ID comparison fix

@christothes christothes enabled auto-merge (squash) August 5, 2025 15:20
@christothes
Copy link
Member

/check-enforcer override

@christothes christothes merged commit c3d443c into main Aug 5, 2025
28 checks passed
@christothes christothes deleted the copilot/fix-51693 branch August 5, 2025 17:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@chlowell chlowell chlowell approved these changes

@JonathanCrd JonathanCrd JonathanCrd approved these changes

@maorleger maorleger Awaiting requested review from maorleger maorleger is a code owner automatically assigned from Azure/azure-sdk-write-identity

@pvaneck pvaneck Awaiting requested review from pvaneck pvaneck is a code owner automatically assigned from Azure/azure-sdk-write-identity

@scottaddie scottaddie Awaiting requested review from scottaddie scottaddie is a code owner automatically assigned from Azure/azure-sdk-write-identity

@xiangyan99 xiangyan99 Awaiting requested review from xiangyan99 xiangyan99 is a code owner automatically assigned from Azure/azure-sdk-write-identity

@anannya03 anannya03 Awaiting requested review from anannya03 anannya03 is a code owner automatically assigned from Azure/azure-sdk-write-identity

@minhanh-phan minhanh-phan Awaiting requested review from minhanh-phan minhanh-phan is a code owner automatically assigned from Azure/azure-sdk-write-identity

+1 more reviewer

@christothes christothes christothes approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@christothes christothes

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ensure that TenantIdResolver does tenantId comparisons without case sensitivity
4 participants
@Copilot @christothes @chlowell @JonathanCrd