TenantAtlas/app/Services/Providers/PlatformProviderIdentityResolver.php

<?php

namespace App\Services\Providers;

use App\Support\Providers\ProviderConnectionType;
use App\Support\Providers\ProviderReasonCodes;

final class PlatformProviderIdentityResolver
{
    public function resolve(string $tenantContext): ProviderIdentityResolution
    {
        $targetTenant = trim($tenantContext);
        $clientId = trim((string) config('graph.client_id'));
        $clientSecret = trim((string) config('graph.client_secret'));
        $authorityTenant = trim((string) config('graph.tenant_id', 'organizations'));
        $redirectUri = trim((string) route('admin.consent.callback'));

        if ($targetTenant === '') {
            return ProviderIdentityResolution::blocked(
                connectionType: ProviderConnectionType::Platform,
                tenantContext: 'organizations',
                credentialSource: 'platform_config',
                reasonCode: ProviderReasonCodes::ProviderConnectionInvalid,
                message: 'Provider connection is missing target tenant scope.',
            );
        }

        if ($clientId === '') {
            return ProviderIdentityResolution::blocked(
                connectionType: ProviderConnectionType::Platform,
                tenantContext: $targetTenant,
                credentialSource: 'platform_config',
                reasonCode: ProviderReasonCodes::PlatformIdentityMissing,
                message: 'Platform app identity is not configured.',
            );
        }

        if ($clientSecret === '' || $redirectUri === '') {
            return ProviderIdentityResolution::blocked(
                connectionType: ProviderConnectionType::Platform,
                tenantContext: $targetTenant,
                credentialSource: 'platform_config',
                reasonCode: ProviderReasonCodes::PlatformIdentityIncomplete,
                message: 'Platform app identity is incomplete.',
            );
        }

        return ProviderIdentityResolution::resolved(
            connectionType: ProviderConnectionType::Platform,
            tenantContext: $targetTenant,
            effectiveClientId: $clientId,
            credentialSource: 'platform_config',
            clientSecret: $clientSecret,
            authorityTenant: $authorityTenant !== '' ? $authorityTenant : 'organizations',
            redirectUri: $redirectUri,
        );
    }
}