[Bug] Log an error if ppl perform OBO over common or organizations

[bgavrilMS]

trafficstars

Library version used

4.58

.NET version

all

Scenario

ConfidentialClient - web api (AcquireTokenOnBehalfOf)

Is this a new or an existing app?

None

Issue description and reproduction steps

We keep getting issues related OBO + guest users.

Correct pattern is:

1. Extract tid claim from client assertion
2. Use authority cloud/tid to perform OBO on

Actual (wrong) pattern used by many is to use cloud/common to perform OBO

Relevant code snippets

No response

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

Log.Error similar to the one we put in client_credentials

[pmaytak]

As part of this we should also add a clear code snippet in our docs on how to do this:

Correct pattern is:

Extract tid claim from client assertion Use authority cloud/tid to perform OBO on

[trwalke]

As part of this we should also add a clear code snippet in our docs on how to do this:

Correct pattern is: Extract tid claim from client assertion Use authority cloud/tid to perform OBO on

Which client assertion are we referring to exactly? what we pass into WithClientAssertion or ClaimsPrincipal? I am trying to find a code snippet where this is happening.

@bgavrilMS

[trwalke]

Keeping issue open to track doc updates

[pmaytak]

Were the docs updated?

[pmaytak]

Closing - this was released in 4.60.0. Added an issue in the docs repo for the related updates: https://github.com/MicrosoftDocs/microsoft-authentication-library-dotnet/issues/393