NuGet · chenriksson · Dec 21, 2017 · Dec 18, 2017 · Dec 18, 2017 · Dec 19, 2017
@@ -65,6 +65,9 @@ public Credential(string type, string value, TimeSpan? expiration)
         [StringLength(maximumLength: 256)]
         public string Value { get; set; }
 
+        [StringLength(maximumLength: 256)]
+        public string TenantId { get; set; }
+
         [StringLength(maximumLength: 256)]
         public string Description { get; set; }
 

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.Collections.Generic;
+using System.ComponentModel.DataAnnotations;
 
 namespace NuGetGallery
 {
@@ -25,6 +26,9 @@ public Organization(string name) : base(name)
             Members = new List<Membership>();
         }
 
+        [StringLength(maximumLength: 256)]
+        public string TenantId { get; set; }
+
         /// <summary>
         /// Organization Memberships to this organization.
         /// </summary>

@@ -22,6 +22,8 @@ namespace NuGetGallery.Authentication
 {
     public class AuthenticationService
     {
+        private const string tenantIdClaimType = "http://schemas.microsoft.com/identity/claims/tenantid";
+
         private Dictionary<string, Func<string, string>> _credentialFormatters;
         private readonly IDiagnosticsSource _trace;
         private readonly IAppConfiguration _config;
@@ -220,6 +222,9 @@ await Auditing.SaveAuditRecordAsync(
                     return null;
                 }
 
+                // store tenant (organization) id, if available
+                matched.TenantId = credential.TenantId;
+
                 // update last used timestamp
                 matched.LastUsed = _dateTimeProvider.UtcNow;
                 await Entities.SaveChangesAsync();
@@ -555,6 +560,8 @@ public virtual async Task<AuthenticateExternalLoginResult> ReadExternalLoginCred
             var emailClaim = result.Identity.FindFirst(ClaimTypes.Email);
             string emailSuffix = emailClaim == null ? String.Empty : (" <" + emailClaim.Value + ">");
 
+            var tenantClaim = result.Identity.FindFirst(tenantIdClaimType);
+
             Authenticator auther;
             string authenticationType = idClaim.Issuer;
             if (!Authenticators.TryGetValue(idClaim.Issuer, out auther))
@@ -574,7 +581,7 @@ public virtual async Task<AuthenticateExternalLoginResult> ReadExternalLoginCred
                 Authentication = null,
                 ExternalIdentity = result.Identity,
                 Authenticator = auther,
-                Credential = _credentialBuilder.CreateExternalCredential(authenticationType, idClaim.Value, nameClaim.Value + emailSuffix)
+                Credential = _credentialBuilder.CreateExternalCredential(authenticationType, idClaim.Value, nameClaim.Value + emailSuffix, tenantClaim.Value)
             };
         }
 

@@ -63,11 +63,12 @@ public Credential CreatePackageVerificationApiKey(Credential originalApiKey, str
             return credential;
         }
 
-        public Credential CreateExternalCredential(string issuer, string value, string identity)
+        public Credential CreateExternalCredential(string issuer, string value, string identity, string tenantId = null)
         {
             return new Credential(CredentialTypes.ExternalPrefix + issuer, value)
             {
-                Identity = identity
+                Identity = identity,
+                TenantId = tenantId
             };
         }
 

@@ -13,6 +13,6 @@ public interface ICredentialBuilder
 
         Credential CreatePackageVerificationApiKey(Credential originalApiKey, string id);
 
-        Credential CreateExternalCredential(string issuer, string value, string identity);
+        Credential CreateExternalCredential(string issuer, string value, string identity, string tenantId = null);
     }
 }
diff --git a/src/NuGetGallery/Migrations/201712192219542_TenantId.Designer.cs b/src/NuGetGallery/Migrations/201712192219542_TenantId.Designer.cs
diff --git a/src/NuGetGallery/Migrations/201712192219542_TenantId.cs b/src/NuGetGallery/Migrations/201712192219542_TenantId.cs
@@ -0,0 +1,20 @@
+namespace NuGetGallery.Migrations
+{
+    using System;
+    using System.Data.Entity.Migrations;
+
+    public partial class TenantId : DbMigration
+    {
+        public override void Up()
+        {
+            AddColumn("dbo.Credentials", "TenantId", c => c.String(maxLength: 256));
+            AddColumn("dbo.Organizations", "TenantId", c => c.String(maxLength: 256));
+        }
+
+        public override void Down()
+        {
+            DropColumn("dbo.Organizations", "TenantId");
+            DropColumn("dbo.Credentials", "TenantId");
+        }
+    }
+}
diff --git a/src/NuGetGallery/Migrations/201712192219542_TenantId.resx b/src/NuGetGallery/Migrations/201712192219542_TenantId.resx
@@ -800,6 +800,10 @@
     <Compile Include="Migrations\201712182237217_MembershipRequests.Designer.cs">
       <DependentUpon>201712182237217_MembershipRequests.cs</DependentUpon>
     </Compile>
+    <Compile Include="Migrations\201712192219542_TenantId.cs" />
+    <Compile Include="Migrations\201712192219542_TenantId.Designer.cs">
+      <DependentUpon>201712192219542_TenantId.cs</DependentUpon>
+    </Compile>
     <Compile Include="RequestModels\DeleteAccountRequest.cs" />
     <Compile Include="Migrations\201710301857232_Organizations.cs" />
     <Compile Include="Migrations\201710301857232_Organizations.Designer.cs">
@@ -1916,6 +1920,9 @@
     <EmbeddedResource Include="Migrations\201712182237217_MembershipRequests.resx">
       <DependentUpon>201712182237217_MembershipRequests.cs</DependentUpon>
     </EmbeddedResource>
+    <EmbeddedResource Include="Migrations\201712192219542_TenantId.resx">
+      <DependentUpon>201712192219542_TenantId.cs</DependentUpon>
+    </EmbeddedResource>
     <EmbeddedResource Include="OData\QueryAllowed\Data\apiv1packages.json" />
     <EmbeddedResource Include="OData\QueryAllowed\Data\apiv1search.json" />
     <EmbeddedResource Include="OData\QueryAllowed\Data\apiv2getupdates.json" />

@@ -540,6 +540,26 @@ public async Task GivenMatchingCredential_ItWritesCredentialLastUsed()
                 Assert.True(cred.LastUsed == referenceTime);
                 Assert.True(cred.LastUsed.HasValue);
             }
+
+            [Fact]
+            public async Task GivenMatchingExternalCredential_ItCopiesTenantId()
+            {
+                // Arrange
+                var cred = _fakes.User.Credentials.Single(c => c.Type.Contains(CredentialTypes.ExternalPrefix));
+
+                var referenceTime = DateTime.UtcNow;
+                _dateTimeProviderMock.SetupGet(x => x.UtcNow).Returns(referenceTime);
+
+                Assert.False(cred.LastUsed.HasValue);
+
+                // Act
+                // Create a new credential to verify that it's a value-based lookup!
+                var result = await _authenticationService.Authenticate(TestCredentialHelper.CreateExternalCredential(cred.Value, tenantId: "fake-tenant-id"));
+
+                // Assert
+                Assert.NotNull(result);
+                Assert.False(string.IsNullOrEmpty(result.CredentialUsed.TenantId));
+            }
         }
 
         public class TheCreateSessionAsyncMethod : TestContainer

@@ -63,9 +63,9 @@ public static Credential CreateV2VerificationApiKey(Guid apiKey)
             return CreateApiKey(CredentialTypes.ApiKey.VerifyV1, apiKey.ToString(), TimeSpan.FromDays(1));
         }
 
-        public static Credential CreateExternalCredential(string value)
+        public static Credential CreateExternalCredential(string value, string tenantId = null)
         {
-            return new Credential { Type = CredentialTypes.ExternalPrefix + "MicrosoftAccount", Value = value };
+            return new Credential { Type = CredentialTypes.ExternalPrefix + "MicrosoftAccount", Value = value, TenantId = tenantId };
         }
 
         internal static Credential CreateApiKey(string type, string apiKey, TimeSpan? expiration)