Handle tailing slashes in configured Authority and Instance (#278)

* Updated references to 3.1.1
* Handle trailing slash and 'v2.0' in configured Authority value in AddProtectedWebApi method.
* Only add api:// to valid audiences if given as Client Id (not beginning with 'api://'.
* Handle optional configured ending slash for Instance in `TokenAcquisition`

Author: egeskov

Microsoft.Identity.Web/Microsoft.Identity.Web.csproj

@@ -34,7 +34,7 @@
   </ItemGroup>
 
   <ItemGroup Label="Build Tools" Condition="$([MSBuild]::IsOsPlatform('Windows'))">
-    <PackageReference Include="Microsoft.SourceLink.GitHub" Version="1.0.0-beta2-18618-05" PrivateAssets="All" />
+    <PackageReference Include="Microsoft.SourceLink.GitHub" Version="1.0.0" PrivateAssets="All" />
   </ItemGroup>
 
 
@@ -53,9 +53,9 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.AzureAD.UI" Version="3.0.0" />
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.AzureADB2C.UI" Version="3.0.0" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="3.0.1" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.AzureAD.UI" Version="3.1.1" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.AzureADB2C.UI" Version="3.1.1" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="3.1.1" />
     <PackageReference Include="Microsoft.Identity.Client" Version="4.8.1" />
   </ItemGroup>
 </Project>

Microsoft.Identity.Web/TokenAcquisition.cs

@@ -264,6 +264,9 @@ private IConfidentialClientApplication BuildConfidentialClientApplication()
                 request.PathBase,
                 azureAdOptions.CallbackPath ?? string.Empty);
 
+            if (!applicationOptions.Instance.EndsWith("/"))
+                applicationOptions.Instance += "/";
+
             string authority = $"{applicationOptions.Instance}{applicationOptions.TenantId}/";
 
             var app = ConfidentialClientApplicationBuilder

Microsoft.Identity.Web/WebApiServiceCollectionExtensions.cs

@@ -53,13 +53,17 @@ public static IServiceCollection AddProtectedWebApi(
                 configuration.Bind(configSectionName, options);
 
                 // This is an Microsoft identity platform Web API
-                options.Authority += "/v2.0";
+                var authority = options.Authority.Trim().TrimEnd('/');
+                if (!authority.EndsWith("v2.0"))
+                    authority += "/v2.0";
+                options.Authority = authority;
 
-                // The valid audiences are both the Client ID (options.Audience) and api://{ClientID}
-                options.TokenValidationParameters.ValidAudiences = new string[]
-                {
-                    options.Audience, $"api://{options.Audience}"
-                };
+                // The valid audience could be given as Client Id or as Uri. If it does not start with 'api://', this variant is added to the list of valid audiences.
+                var validAudiences = new List<string> { options.Audience };
+                if (!options.Audience.StartsWith("api://", StringComparison.OrdinalIgnoreCase))
+                    validAudiences.Add($"api://{options.Audience}");
+
+                options.TokenValidationParameters.ValidAudiences = validAudiences;
 
                 // Instead of using the default validation (validating against a single tenant, as we do in line of business apps),
                 // we inject our own multi-tenant validation logic (which even accepts both v1.0 and v2.0 tokens)
@@ -127,4 +131,4 @@ public static IServiceCollection AddProtectedApiCallsWebApis(
             return services;
         }
     }
-}
+}