[Identity] Throw CredentialUnavailableException from credentials not supporting ADFS (#14763)

* [Identity] Throw CredentialUnavailableException from credentials not supporting ADFS

* moving tenantId check to after it's read from settings

* fix check to use local variable

Author: schaabs

sdk/identity/Azure.Identity/CHANGELOG.md

@@ -9,6 +9,7 @@
 
 ### Fixes and improvements
 - Fixed issue with non GUID Client Ids (Issue [#14585](https://github.com/Azure/azure-sdk-for-net/issues/14585))
+- Update `VisualStudioCredential` and `VisualStudioCodeCredential` to throw `CredentialUnavailableException` for ADFS tenant (Issue [#14639](https://github.com/Azure/azure-sdk-for-net/issues/14639))
 
 
 ## 1.2.2 (2020-08-20)

sdk/identity/Azure.Identity/src/Constants.cs

@@ -11,6 +11,8 @@ internal class Constants
     {
         public const string OrganizationsTenantId = "organizations";
 
+        public const string AdfsTenantId = "adfs";
+
         // TODO: Currently this is piggybacking off the Azure CLI client ID, but needs to be switched once the Developer Sign On application is available
         public const string DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
 

sdk/identity/Azure.Identity/src/VisualStudioCodeCredential.cs

@@ -63,6 +63,11 @@ private async ValueTask<AccessToken> GetTokenImplAsync(TokenRequestContext reque
             {
                 GetUserSettings(out var tenant, out var environmentName);
 
+                if (string.Equals(tenant, Constants.AdfsTenantId, StringComparison.Ordinal))
+                {
+                    throw new CredentialUnavailableException("VisualStudioCodeCredential authentication unavailable. ADFS tenant / authorities are not supported.");
+                }
+
                 var cloudInstance = GetAzureCloudInstance(environmentName);
                 var storedCredentials = _vscAdapter.GetCredentials(CredentialsSection, environmentName);
 

sdk/identity/Azure.Identity/src/VisualStudioCredential.cs

@@ -64,6 +64,11 @@ private async ValueTask<AccessToken> GetTokenImplAsync(TokenRequestContext reque
 
             try
             {
+                if (string.Equals(_tenantId, Constants.AdfsTenantId, StringComparison.Ordinal))
+                {
+                    throw new CredentialUnavailableException("VisualStudioCredential authentication unavailable. ADFS tenant/authorities are not supported.");
+                }
+
                 var tokenProviderPath = GetTokenProviderPath();
                 var tokenProviders = GetTokenProviders(tokenProviderPath);
 

sdk/identity/Azure.Identity/tests/VisualStudioCodeCredentialTests.cs

@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Threading;
+using Azure.Core;
+using Azure.Core.TestFramework;
+using NUnit.Framework;
+
+namespace Azure.Identity.Tests
+{
+    public class VisualStudioCodeCredentialTests : ClientTestBase
+    {
+        public VisualStudioCodeCredentialTests(bool isAsync) : base(isAsync)
+        {
+
+        }
+
+        [Test]
+        public void AdfsTenantThrowsCredentialUnavailable()
+        {
+            var options = new VisualStudioCodeCredentialOptions { TenantId = "adfs", Transport = new MockTransport() };
+
+            VisualStudioCodeCredential credential = InstrumentClient(new VisualStudioCodeCredential(options));
+
+            Assert.ThrowsAsync<CredentialUnavailableException>(async () => await credential.GetTokenAsync(new TokenRequestContext(new[] { "https://vault.azure.net/.default" }), CancellationToken.None));
+        }
+    }
+}

sdk/identity/Azure.Identity/tests/VisualStudioCredentialTests.cs

@@ -178,5 +178,15 @@ public void AuthenticateWithVsCredential_CredentialUnavailableExceptionPassThrou
             var credential = InstrumentClient(new VisualStudioCredential(default, default, fileSystem, testProcessFactory));
             Assert.ThrowsAsync<CredentialUnavailableException>(async () => await credential.GetTokenAsync(new TokenRequestContext(new[]{"https://vault.azure.net/"}), CancellationToken.None));
         }
+
+        [Test]
+        public void AdfsTenantThrowsCredentialUnavailable()
+        {
+            var options = new VisualStudioCredentialOptions { TenantId = "adfs", Transport = new MockTransport() };
+
+            VisualStudioCredential credential = InstrumentClient(new VisualStudioCredential(options));
+
+            Assert.ThrowsAsync<CredentialUnavailableException>(async () => await credential.GetTokenAsync(new TokenRequestContext(new[] { "https://vault.azure.net/.default" }), CancellationToken.None));
+        }
     }
 }