Append FAQ address to AAD unmanaged tenant authentication error (#7993)

Append FAQ address to AAD unmanaged tenant authentication error

Author: drewgillies

src/NuGetGallery/Controllers/AuthenticationController.cs

@@ -811,9 +811,22 @@ private string GetEmailAddressFromExternalLoginResult(AuthenticateExternalLoginR
 
         private ActionResult AuthenticationFailureOrExternalLinkExpired(string errorMessage = null)
         {
-            // User got here without an external login cookie (or an expired one)
-            // Send them to the logon action with a message
-            TempData["ErrorMessage"] = string.IsNullOrEmpty(errorMessage) ? Strings.ExternalAccountLinkExpired : errorMessage;
+            // We need a special case here because of https://github.com/NuGet/NuGetGallery/issues/7544. An unmanaged tenant scenario
+            // needs the FAQ URI appended to the AAD error, and we do that here so it appears in the header.
+            if (!string.IsNullOrEmpty(errorMessage) &&
+                errorMessage.IndexOf("AADSTS65005", StringComparison.OrdinalIgnoreCase) > -1 &&
+                errorMessage.IndexOf("unmanaged", StringComparison.OrdinalIgnoreCase) > -1)
+            {
+                TempData["RawErrorMessage"] = errorMessage + "<br/>" + string.Format(Strings.DirectUserToUnmanagedTenantFAQ,
+                    UriExtensions.GetExternalUrlAnchorTag("FAQs page", GalleryConstants.FAQLinks.AccountBelongsToUnmanagedTenant));
+            }
+            else
+            {
+                // User got here without an external login cookie (or an expired one)
+                // Send them to the logon action with a message
+                TempData["ErrorMessage"] = string.IsNullOrEmpty(errorMessage) ? Strings.ExternalAccountLinkExpired : errorMessage;
+            }
+
             return Redirect(Url.LogOn(null, relativeUrl: false));
         }
 

src/NuGetGallery/GalleryConstants.cs

@@ -113,6 +113,7 @@ public static class FAQLinks
             public const string NuGetChangeUsername = "https://aka.ms/nuget-faq-change-username";
             public const string NuGetDeleteAccount = "https://aka.ms/nuget-faq-delete-account";
             public const string TransformToOrganization = "https://aka.ms/nuget-faq-transform-org";
+            public const string AccountBelongsToUnmanagedTenant = "https://aka.ms/nuget-faq-unmanaged-tenant";
         }
     }
 }

src/NuGetGallery/Strings.Designer.cs

@@ -693,6 +693,9 @@ For more information, please contact '{2}'.</value>
     <value>The account with the email {0} is linked to another Microsoft account.
 If you would like to update the linked Microsoft account you can do so from the account settings page.</value>
   </data>
+  <data name="DirectUserToUnmanagedTenantFAQ" xml:space="preserve">
+    <value>Please refer to the {0} for steps to resolve this issue.</value>
+  </data>
   <data name="ChangeCredential_Failed" xml:space="preserve">
     <value>Failed to update the Microsoft account with '{0}'. This could happen if it is already linked to another NuGet account. See {1} for more details.</value>
   </data>