Merging recent changes

msal/authority.py

@@ -3,10 +3,6 @@
 except ImportError:  # Fall back to Python 2
     from urlparse import urlparse
 import logging
-try:
-    from urllib.parse import urlparse
-except ImportError:  # Fall back to Python 2
-    from urlparse import urlparse
 
 import requests
 
@@ -38,7 +34,7 @@ class Authority(object):
     _domains_without_user_realm_discovery = set([])
 
     def __init__(self, authority_url, validate_authority=True,
-            verify=True, proxies=None, timeout=None, is_b2c=False
+            verify=True, proxies=None, timeout=None,
             ):
         """Creates an authority instance, and also validates it.
 
@@ -51,20 +47,30 @@ def __init__(self, authority_url, validate_authority=True,
         self.verify = verify
         self.proxies = proxies
         self.timeout = timeout
-        authority , self.instance, tenant = canonicalize(authority_url)
-        if(tenant != "adfs" and (not is_b2c) and validate_authority
-          and self.instance not in WELL_KNOWN_AUTHORITY_HOSTS):
+        authority, self.instance, tenant = canonicalize(authority_url)
+        is_b2c = any(self.instance.endswith("." + d) for d in WELL_KNOWN_B2C_HOSTS)
+        if (tenant != "adfs" and (not is_b2c) and validate_authority
+                and self.instance not in WELL_KNOWN_AUTHORITY_HOSTS):
             payload = instance_discovery(
-            "https://{}{}/oauth2/v2.0/authorize".format(
-                self.instance, authority.path),
-            verify=verify, proxies=proxies, timeout=timeout)
+                "https://{}{}/oauth2/v2.0/authorize".format(
+                    self.instance, authority.path),
+                verify=verify, proxies=proxies, timeout=timeout)
+            if payload.get("error") == "invalid_instance":
+                raise ValueError(
+                    "invalid_instance: "
+                    "The authority you provided, %s, is not whitelisted. "
+                    "If it is indeed your legit customized domain name, "
+                    "you can turn off this check by passing in "
+                    "validate_authority=False"
+                    % authority_url)
+            tenant_discovery_endpoint = payload['tenant_discovery_endpoint']
         else:
             tenant_discovery_endpoint = (
                 'https://{}{}{}/.well-known/openid-configuration'.format(
                     self.instance,
                     authority.path,  # In B2C scenario, it is "/tenant/policy"
-                    "" if tenant == "adfs" else "/v2.0"  # the AAD v2 endpoint
-                ))
+                    "" if tenant == "adfs" else "/v2.0" # the AAD v2 endpoint
+                    ))
         openid_config = tenant_discovery(
             tenant_discovery_endpoint,
             verify=verify, proxies=proxies, timeout=timeout)
@@ -73,7 +79,6 @@ def __init__(self, authority_url, validate_authority=True,
         self.token_endpoint = openid_config['token_endpoint']
         _, _, self.tenant = canonicalize(self.token_endpoint)  # Usually a GUID
         self.is_adfs = self.tenant.lower() == 'adfs'
-        self.is_b2c = is_b2c
 
     def user_realm_discovery(self, username, response=None):
         # It will typically return a dict containing "ver", "account_type",
@@ -91,8 +96,8 @@ def user_realm_discovery(self, username, response=None):
             self.__class__._domains_without_user_realm_discovery.add(self.instance)
         return {}  # This can guide the caller to fall back normal ROPC flow
 
+
 def canonicalize(authority_url):
-    # Returns (canonicalized_url, netloc, tenant). Raises ValueError on errors.
     authority = urlparse(authority_url)
     parts = authority.path.split("/")
     if authority.scheme != "https" or len(parts) < 2 or not parts[1]: