Merge pull request #96 from Azure-Samples/jmprieur/syncMicrosoftIdentityWebFromWebAppTutorial

Synching Microsoft.Identity.Web from the ASP.NET Core Web App tutorial

Author: jmprieur

1. Desktop app calls Web API/TodoListService/Startup.cs

@@ -43,7 +43,7 @@ public Startup(IConfiguration configuration)
         // This method gets called by the runtime. Use this method to add services to the container.
         public void ConfigureServices(IServiceCollection services)
         {
-            services.AddProtectWebApiWithMicrosoftIdentityPlatformV2(Configuration);
+            services.AddProtectedWebApi(Configuration);
 
             services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
         }

2. Web API now calls Microsoft Graph/README-incremental-instructions.md

@@ -195,12 +195,12 @@ Update `Startup.cs` file:
   by
 
   ```csharp
-  services.AddProtectWebApiWithMicrosoftIdentityPlatformV2(Configuration)
+  services.AddProtectedWebApi(Configuration)
           .AddProtectedApiCallsWebApis(Configuration, new string[] { "user.read" })
           .AddInMemoryTokenCaches();
   ```
 
-  `AddProtectWebApiWithMicrosoftIdentityPlatformV2` does the following:
+  `AddProtectedWebApi` does the following:
   - add the **Jwt**BearerAuthenticationScheme (Note the replacement of BearerAuthenticationScheme by **Jwt**BearerAuthenticationScheme)
   - set the authority to be the Microsoft identity platform v2.0 identity
   - sets the audiences to validate

2. Web API now calls Microsoft Graph/README.md

@@ -323,12 +323,12 @@ Update `Startup.cs` file:
   by
 
   ```csharp
-  services.AddProtectWebApiWithMicrosoftIdentityPlatformV2(Configuration)
+  services.AddProtectedWebApi(Configuration)
           .AddProtectedApiCallsWebApis(Configuration, new string[] { "user.read" })
           .AddInMemoryTokenCaches();
   ```
 
-  `AddProtectWebApiWithMicrosoftIdentityPlatformV2` does the following:
+  `AddProtectedWebApi` does the following:
   - add the **Jwt**BearerAuthenticationScheme (Note the replacement of BearerAuthenticationScheme by **Jwt**BearerAuthenticationScheme)
   - set the authority to be the Microsoft identity platform identity
   - sets the audiences to validate

2. Web API now calls Microsoft Graph/TodoListService/Controllers/TodoListController.cs

@@ -9,7 +9,7 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Identity.Client;
-using Microsoft.Identity.Web.Client;
+using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.Resource;
 using Newtonsoft.Json;
 using System;
@@ -92,13 +92,13 @@ public async Task<string> CallGraphApiOnBehalfOfUser()
             // we use MSAL.NET to get a token to call the API On Behalf Of the current user
             try
             {
-                string accessToken = await _tokenAcquisition.GetAccessTokenOnBehalfOfUser(HttpContext, scopes);
+                string accessToken = await _tokenAcquisition.GetAccessTokenOnBehalfOfUserAsync(scopes);
                 dynamic me = await CallGraphApiOnBehalfOfUser(accessToken);
                 return me.userPrincipalName;
             }
             catch (MsalUiRequiredException ex)
             {
-                _tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeader(HttpContext, scopes, ex);
+                _tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeader(scopes, ex);
                 return string.Empty;
             }
         }

2. Web API now calls Microsoft Graph/TodoListService/Startup.cs

@@ -7,7 +7,7 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Identity.Web;
-using Microsoft.Identity.Web.Client.TokenCacheProviders;
+using Microsoft.Identity.Web.TokenCacheProviders.InMemory;
 
 namespace TodoListService
 {
@@ -23,7 +23,7 @@ public Startup(IConfiguration configuration)
         // This method gets called by the runtime. Use this method to add services to the container.
         public void ConfigureServices(IServiceCollection services)
         {
-            services.AddProtectWebApiWithMicrosoftIdentityPlatformV2(Configuration)
+            services.AddProtectedWebApi(Configuration)
                     .AddProtectedApiCallsWebApis(Configuration)
                     .AddInMemoryTokenCaches();
 

3.-Web-api-call-Microsoft-graph-for-personal-accounts/README-incremental-instructions.md

@@ -195,12 +195,12 @@ Update `Startup.cs` file:
   by
 
   ```csharp
-  services.AddProtectWebApiWithMicrosoftIdentityPlatformV2(Configuration)
+  services.AddProtectedWebApi(Configuration)
           .AddProtectedApiCallsWebApis(Configuration, new string[] { "user.read" })
           .AddInMemoryTokenCaches();
   ```
 
-  `AddProtectWebApiWithMicrosoftIdentityPlatformV2` does the following:
+  `AddProtectedWebApi` does the following:
   - add the **Jwt**BearerAuthenticationScheme (Note the replacement of BearerAuthenticationScheme by **Jwt**BearerAuthenticationScheme)
   - set the authority to be the Microsoft identity platform v2.0 identity
   - sets the audiences to validate

3.-Web-api-call-Microsoft-graph-for-personal-accounts/README.md

@@ -245,7 +245,7 @@ public class Startup
   // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
-    services.AddProtectWebApiWithMicrosoftIdentityPlatformV2(Configuration)
+    services.AddProtectedWebApi(Configuration)
             .AddProtectedApiCallsWebApis(Configuration, new string[] { "user.read" })
             .AddInMemoryTokenCaches();
     services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
@@ -262,7 +262,7 @@ public class Startup
   ...
   public void ConfigureServices(IServiceCollection services)
   {
-      services.AddProtectWebApiWithMicrosoftIdentityPlatformV2(Configuration)
+      services.AddProtectedWebApi(Configuration)
               .AddProtectedApiCallsWebApis(Configuration, new string[] { "user.read", "offline_access" })
               .AddInMemoryTokenCaches();
 

3.-Web-api-call-Microsoft-graph-for-personal-accounts/TodoListService/Controllers/TodoListController.cs

@@ -26,7 +26,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Identity.Client;
-using Microsoft.Identity.Web.Client;
+using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.Resource;
 using Newtonsoft.Json;
 using System;
@@ -110,13 +110,13 @@ public async Task<string> CallGraphApiOnBehalfOfUser()
             // we use MSAL.NET to get a token to call the API On Behalf Of the current user
             try
             {
-                string accessToken = await _tokenAcquisition.GetAccessTokenOnBehalfOfUser(HttpContext, scopes);
+                string accessToken = await _tokenAcquisition.GetAccessTokenOnBehalfOfUserAsync(scopes);
                 dynamic me = await CallGraphApiOnBehalfOfUser(accessToken);
                 return me.userPrincipalName;
             }
             catch (MsalUiRequiredException ex)
             {
-                _tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeader(HttpContext, scopes, ex);
+                _tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeader(scopes, ex);
                 return string.Empty;
             }
         }

3.-Web-api-call-Microsoft-graph-for-personal-accounts/TodoListService/Startup.cs

@@ -28,7 +28,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Identity.Web;
-using Microsoft.Identity.Web.Client.TokenCacheProviders;
+using Microsoft.Identity.Web.TokenCacheProviders.InMemory;
 
 namespace TodoListService
 {
@@ -44,7 +44,7 @@ public Startup(IConfiguration configuration)
         // This method gets called by the runtime. Use this method to add services to the container.
         public void ConfigureServices(IServiceCollection services)
         {
-            services.AddProtectWebApiWithMicrosoftIdentityPlatformV2(Configuration)
+            services.AddProtectedWebApi(Configuration)
                     .AddProtectedApiCallsWebApis(Configuration, new string[] { "user.read", "offline_access" })
                     .AddInMemoryTokenCaches();
 

Microsoft.Identity.Web.Test/AadIssuerValidatorTests.cs

@@ -1,3 +1,6 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
 using Microsoft.Identity.Web.Resource;
 using Microsoft.IdentityModel.Tokens;
 using System;
@@ -12,7 +15,6 @@ public class AadIssuerValidatorTests
     {
         private const string Tid = "9188040d-6c67-4c5b-b112-36a304b66dad";
         private static readonly string Iss = $"https://login.microsoftonline.com/{Tid}/v2.0";
-        private static readonly string Iss2 = $"https://sts.windows.net/{Tid}/v2.0";
         private static readonly IEnumerable<string> s_aliases = new[] { "login.microsoftonline.com", "sts.windows.net" };
 
         [Fact]
@@ -45,20 +47,6 @@ public void PassingValidation()
         }
 
 
-        [Fact]
-        public void PassingValidationWithAlias()
-        {
-            // Arrange
-            AadIssuerValidator validator = new AadIssuerValidator(s_aliases);
-            Claim issClaim = new Claim("tid", Tid);
-            Claim tidClaim = new Claim("iss", Iss2);  // sts.windows.net
-            JwtSecurityToken jwtSecurityToken = new JwtSecurityToken(issuer: Iss2, claims: new[] { issClaim, tidClaim });
-
-            // Act & Assert
-            validator.Validate(Iss2, jwtSecurityToken,
-                new TokenValidationParameters() { ValidIssuers = new[] { "https://login.microsoftonline.com/{tenantid}/v2.0" } });
-        }
-
         [Fact]
         public void TokenValidationParameters_ValidIssuer()
         {

Microsoft.Identity.Web/AccountExtensions.cs

@@ -0,0 +1,37 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.Identity.Client;
+using System.Security.Claims;
+
+namespace Microsoft.Identity.Web
+{
+    /// <summary>
+    /// Extension methods dealing with IAccount instances.
+    /// </summary>
+    public static class AccountExtensions
+    {
+        /// <summary>
+        /// Creates the <see cref="ClaimsPrincipal"/> from the values found 
+        /// in an <see cref="IAccount"/>
+        /// </summary>
+        /// <param name="account">The IAccount instance</param>
+        /// <returns>A <see cref="ClaimsPrincipal"/> built from IAccount</returns>
+        public static ClaimsPrincipal ToClaimsPrincipal(this IAccount account)
+        {
+            if (account != null)
+            {
+                return new ClaimsPrincipal(
+                    new ClaimsIdentity(new Claim[]
+                    {
+                        new Claim(ClaimConstants.Oid, account.HomeAccountId.ObjectId),
+                        new Claim(ClaimConstants.Tid, account.HomeAccountId.TenantId),
+                        new Claim(ClaimTypes.Upn, account.Username)
+                    })
+                );
+            }
+
+            return null;
+        }
+    }
+}