in CredentialProvider.Microsoft/CredentialProviders/Vsts/IAuthUtil.cs [129:169]
private Uri GetAuthority(Uri uri, HttpResponseHeaders responseHeaders)
{
var environmentAuthority = EnvUtil.GetAuthorityFromEnvironment(logger);
if (environmentAuthority != null)
{
return environmentAuthority;
}
var bearerHeaders = responseHeaders.WwwAuthenticate.Where(x => x.Scheme.Equals("Bearer", StringComparison.Ordinal));
foreach (var param in bearerHeaders)
{
if (param.Parameter == null)
{
// MSA-backed accounts don't expose a parameter
continue;
}
var equalSplit = param.Parameter.Split(new[] { "=" }, StringSplitOptions.RemoveEmptyEntries);
if (equalSplit.Length == 2)
{
if (equalSplit[0].Equals("authorization_uri", StringComparison.OrdinalIgnoreCase))
{
if (Uri.TryCreate(equalSplit[1], UriKind.Absolute, out Uri parsedUri))
{
logger.Verbose(string.Format(Resources.FoundAADAuthorityFromHeaders, parsedUri));
return parsedUri;
}
}
}
}
// Return the common tenant
var aadBase = UsePpeAadUrl(uri) ? "https://login.windows-ppe.net" : "https://login.microsoftonline.com";
logger.Verbose(string.Format(Resources.AADAuthorityNotFound, aadBase));
// The Azure Artifacts application has MSA-Passthrough enabled which requires the use of the organizations
// tenant when requesting tokens for MSA users. This covers both organizations and consumers in cases where
// a tenant ID cannot be obtained from authenticate headers.
return new Uri($"{aadBase}/organizations");
}