updated with new regional cloud URL's

Author: 4gust

msal/authority.py

@@ -39,6 +39,9 @@
     "login.microsoftonline.us",
     "login.usgovcloudapi.net",
     "login-us.microsoftonline.com",
+    "https://login.sovcloud-identity.fr", # AzureBleu
+    "https://login.sovcloud-identity.de", # AzureDelos
+    "https://login.sovcloud-identity.sg", # AzureGovSG
 ])
 
 WELL_KNOWN_B2C_HOSTS = [
@@ -215,7 +218,7 @@ def has_valid_issuer(self):
         - It has the same scheme and host as the authority (path can be different)
         - The issuer host is a well-known Microsoft authority host
         - The issuer host is a regional variant of a well-known host (e.g., westus2.login.microsoft.com)
-        - For CIAM, the issuer follows the pattern of {tenant}.ciamlogin.com
+        - For CIAM, hosts that end with well-known B2C hosts (e.g., tenant.b2clogin.com) are accepted as valid issuers
         """
         if not self._issuer or not self._oidc_authority_url:
             return False
@@ -240,25 +243,25 @@ def has_valid_issuer(self):
         dot_index = issuer_host.find(".")
         if dot_index > 0:
             potential_base = issuer_host[dot_index + 1:]
-            if potential_base in TRUSTED_ISSUER_HOSTS and "." not in issuer_host[:dot_index]:
-                return True
+            if "." not in issuer_host[:dot_index]:
+                # 3a: Base host is a trusted Microsoft host
+                if potential_base in TRUSTED_ISSUER_HOSTS:
+                    return True
+                # 3b: Issuer has a region prefix on the authority host
+                #     e.g. issuer=us.someweb.com, authority=someweb.com
+                authority_host = authority_parsed.hostname.lower() if authority_parsed.hostname else ""
+                if potential_base == authority_host:
+                    return True
 
         # Case 4: Same scheme and host (path can differ)
         if (authority_parsed.scheme == issuer_parsed.scheme and 
             authority_parsed.netloc == issuer_parsed.netloc):
             return True
+        
+        # Case 5: Check if issuer host ends with any well-known B2C host (e.g., tenant.b2clogin.com)
+        if any(issuer_host.endswith(h) for h in WELL_KNOWN_B2C_HOSTS):
+            return True
 
-        # Case 5: CIAM scenario - issuer follows pattern {tenant}.ciamlogin.com
-        if issuer_host.endswith(_CIAM_DOMAIN_SUFFIX):
-            authority_host = authority_parsed.hostname.lower() if authority_parsed.hostname else ""
-            if authority_host.endswith(_CIAM_DOMAIN_SUFFIX):
-                tenant = authority_host[:-len(_CIAM_DOMAIN_SUFFIX)]
-            else:
-                parts = authority_parsed.path.split('/')
-                tenant = parts[1] if len(parts) >= 2 and parts[1] else None
-            
-            if tenant and issuer_host == tenant + _CIAM_DOMAIN_SUFFIX:
-                return True
         return False
 
 def canonicalize(authority_or_auth_endpoint):

tests/test_authority.py

@@ -526,3 +526,81 @@ def test_issuer_case_sensitivity_host(self, tenant_discovery_mock):
         self.assertTrue(authority.has_valid_issuer(),
             "Host comparison should be case-insensitive")
 
+    # Case 3b: Regional prefix on authority host tests
+    @patch("msal.authority.tenant_discovery")
+    def test_regional_issuer_matching_authority_host(self, tenant_discovery_mock):
+        """Test issuer with region prefix on the authority host: us.someweb.com -> someweb.com"""
+        authority_url = "https://someweb.com/tenant"
+        issuer = "https://us.someweb.com/tenant"
+        authority = self._create_authority_with_issuer(authority_url, issuer, tenant_discovery_mock)
+        self.assertTrue(authority.has_valid_issuer(),
+            "Issuer with region prefix on authority host should be valid")
+
+    @patch("msal.authority.tenant_discovery")
+    def test_regional_issuer_westus2_on_custom_authority(self, tenant_discovery_mock):
+        """Test issuer westus2.myidp.example.com with authority myidp.example.com"""
+        authority_url = "https://myidp.example.com/tenant"
+        issuer = "https://westus2.myidp.example.com/tenant"
+        authority = self._create_authority_with_issuer(authority_url, issuer, tenant_discovery_mock)
+        self.assertTrue(authority.has_valid_issuer(),
+            "Regional prefix westus2 on custom authority host should be valid")
+
+    @patch("msal.authority.tenant_discovery")
+    def test_regional_issuer_does_not_match_different_authority(self, tenant_discovery_mock):
+        """Test issuer us.someweb.com should NOT match authority otherdomain.com"""
+        authority_url = "https://otherdomain.com/tenant"
+        issuer = "https://us.someweb.com/tenant"
+        tenant_discovery_mock.return_value = {
+            "authorization_endpoint": "https://example.com/oauth2/authorize",
+            "token_endpoint": "https://example.com/oauth2/token",
+            "issuer": issuer,
+        }
+        with self.assertRaises(ValueError):
+            Authority(None, self.http_client, oidc_authority_url=authority_url)
+
+    @patch("msal.authority.tenant_discovery")
+    def test_regional_issuer_on_authority_with_different_path(self, tenant_discovery_mock):
+        """Test issuer eastus.someweb.com/v2 with authority someweb.com/tenant"""
+        authority_url = "https://someweb.com/tenant"
+        issuer = "https://eastus.someweb.com/v2"
+        authority = self._create_authority_with_issuer(authority_url, issuer, tenant_discovery_mock)
+        self.assertTrue(authority.has_valid_issuer(),
+            "Regional issuer with different path should still match by host")
+
+    # Case 5: B2C host suffix tests
+    @patch("msal.authority.tenant_discovery")
+    def test_b2c_issuer_host(self, tenant_discovery_mock):
+        """Test issuer from a well-known B2C host: tenant.b2clogin.com"""
+        authority_url = "https://custom-domain.com/tenant"
+        issuer = "https://tenant.b2clogin.com/tenant/v2.0"
+        authority = self._create_authority_with_issuer(authority_url, issuer, tenant_discovery_mock)
+        self.assertTrue(authority.has_valid_issuer(),
+            "Issuer ending with b2clogin.com should be valid")
+
+    @patch("msal.authority.tenant_discovery")
+    def test_b2c_china_issuer_host(self, tenant_discovery_mock):
+        """Test issuer from B2C China host: tenant.b2clogin.cn"""
+        authority_url = "https://custom-domain.com/tenant"
+        issuer = "https://tenant.b2clogin.cn/tenant/v2.0"
+        authority = self._create_authority_with_issuer(authority_url, issuer, tenant_discovery_mock)
+        self.assertTrue(authority.has_valid_issuer(),
+            "Issuer ending with b2clogin.cn should be valid")
+
+    @patch("msal.authority.tenant_discovery")
+    def test_b2c_us_gov_issuer_host(self, tenant_discovery_mock):
+        """Test issuer from B2C US Government host: tenant.b2clogin.us"""
+        authority_url = "https://custom-domain.com/tenant"
+        issuer = "https://tenant.b2clogin.us/tenant/v2.0"
+        authority = self._create_authority_with_issuer(authority_url, issuer, tenant_discovery_mock)
+        self.assertTrue(authority.has_valid_issuer(),
+            "Issuer ending with b2clogin.us should be valid")
+
+    @patch("msal.authority.tenant_discovery")
+    def test_ciam_issuer_host_via_b2c_check(self, tenant_discovery_mock):
+        """Test issuer from ciamlogin.com host is accepted via B2C check"""
+        authority_url = "https://custom-domain.com/tenant"
+        issuer = "https://mytenant.ciamlogin.com/tenant"
+        authority = self._create_authority_with_issuer(authority_url, issuer, tenant_discovery_mock)
+        self.assertTrue(authority.has_valid_issuer(),
+            "Issuer ending with ciamlogin.com should be valid")
+