Jmprieur/webappwebapib2c (#298)

* Experiment for a B2C Web app calling a B2C Web API.
Needs more work.

* Test and fix B2C web app calls web api scenario
Fix issue in AadIssuerValidator when certains claims are not present (ex. policy) in the token
Fix bug w/scopes and scopeKeySection
Send "client_info=1" to request to get client info back from AAD B2C
Add ClientInfo class + methods to pull out the TenantId from the ClientInfo
Add full value to UserFlow as it was not picking up on short version
In TokenAcquisition, check first for b2c and then do null tenant and then tenant specific, was using the wrong authority for b2c previously
Fix bug in determining audience validation

* Fixing missing references

* Uncommenting a needed line

* Fixing a build break

* Fixing the configuration and a problem brought bad a by merge by jmprieur

* add uitid to the claims for b2c

* moving Web app calling Web API with B2C in own folder

* Reading the 4-1-MyOrg folder

* Update README.md

Co-authored-by: jennyf19 <jeferrie@microsoft.com>

Author: jmprieur

.gitignore

@@ -39,9 +39,6 @@
 /2-WebApp-graph-user/2-2-TokenCache/.vs
 /2-WebApp-graph-user/2-2-TokenCache/bin
 /2-WebApp-graph-user/2-2-TokenCache/obj
-/2-WebApp-graph-user/2-3-Best-Practices/.vs
-/2-WebApp-graph-user/2-3-Best-Practices/bin
-/2-WebApp-graph-user/2-3-Best-Practices/obj
 /2-WebApp-graph-user/2-3-Multi-Tenant/.vs
 /2-WebApp-graph-user/2-3-Multi-Tenant/bin
 /2-WebApp-graph-user/2-3-Multi-Tenant/obj
@@ -121,11 +118,13 @@
 /2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph/bin
 /2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph/obj
 /Microsoft.Identity.Web.Test/obj
-/4-WebApp-your-API/4-2-B2C/.vs
-/4-WebApp-your-API/4-2-B2C/Client/obj
-/4-WebApp-your-API/4-2-B2C/TodoListService/obj
 /4-WebApp-your-API/4-1-MyOrg/.vs
 /4-WebApp-your-API/4-1-MyOrg/Client/bin
 /4-WebApp-your-API/4-1-MyOrg/Client/obj
 /4-WebApp-your-API/4-1-MyOrg/TodoListService/bin
 /4-WebApp-your-API/4-1-MyOrg/TodoListService/obj
+/4-WebApp-your-API/4-2-B2C/.vs
+/4-WebApp-your-API/4-2-B2C/Client/obj
+/4-WebApp-your-API/4-2-B2C/TodoListService/obj
+/4-WebApp-your-API/4-2-B2C/Client/bin
+/4-WebApp-your-API/4-2-B2C/TodoListService/bin

2-WebApp-graph-user/2-1-Call-MSGraph/AspnetCoreWebApp-calls-Microsoft-Graph.sln

@@ -30,14 +30,14 @@ Global
 		{E0CEF26A-6CE6-4505-851B-6580D5564752}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{E0CEF26A-6CE6-4505-851B-6580D5564752}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{E0CEF26A-6CE6-4505-851B-6580D5564752}.Release|Any CPU.Build.0 = Release|Any CPU
+		{8CCEAE2A-BDF6-470C-B6DE-7FC81A74DBD7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{8CCEAE2A-BDF6-470C-B6DE-7FC81A74DBD7}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{8CCEAE2A-BDF6-470C-B6DE-7FC81A74DBD7}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{8CCEAE2A-BDF6-470C-B6DE-7FC81A74DBD7}.Release|Any CPU.Build.0 = Release|Any CPU
 		{8CC22202-F66C-4332-A4F0-A2C09EBA08EC}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{8CC22202-F66C-4332-A4F0-A2C09EBA08EC}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{8CC22202-F66C-4332-A4F0-A2C09EBA08EC}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{8CC22202-F66C-4332-A4F0-A2C09EBA08EC}.Release|Any CPU.Build.0 = Release|Any CPU
-		{0EEC3E2E-69D0-4A7F-98D6-4386330F4965}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{0EEC3E2E-69D0-4A7F-98D6-4386330F4965}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{0EEC3E2E-69D0-4A7F-98D6-4386330F4965}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{0EEC3E2E-69D0-4A7F-98D6-4386330F4965}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

4-WebApp-your-API/4-1-MyOrg/.vs/WebApp-Calls-WebAPI-MyOrg/config/applicationhost.config

@@ -1,4 +1,7 @@
-using Microsoft.AspNetCore.Hosting;
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.Hosting;
 
 namespace WebApp_OpenIDConnect_DotNet

4-WebApp-your-API/4-1-MyOrg/Client/Program.cs

@@ -1,26 +1,5 @@
-/*
- The MIT License (MIT)
-
-Copyright (c) 2018 Microsoft Corporation
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
- */
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
 
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Configuration;
@@ -59,11 +38,11 @@ public class TodoListService : ITodoListService
 
         public TodoListService(ITokenAcquisition tokenAcquisition, HttpClient httpClient, IConfiguration configuration, IHttpContextAccessor contextAccessor)
         {
-            this._httpClient = httpClient;
-            this._tokenAcquisition = tokenAcquisition;
-            this._contextAccessor = contextAccessor;
-            this._TodoListScope = configuration["TodoList:TodoListScope"];
-            this._TodoListBaseAddress = configuration["TodoList:TodoListBaseAddress"];
+            _httpClient = httpClient;
+            _tokenAcquisition = tokenAcquisition;
+            _contextAccessor = contextAccessor;
+            _TodoListScope = configuration["TodoList:TodoListScope"];
+            _TodoListBaseAddress = configuration["TodoList:TodoListBaseAddress"];
         }
 
         public async Task<Todo> AddAsync(Todo todo)
@@ -72,8 +51,7 @@ public async Task<Todo> AddAsync(Todo todo)
 
             var jsonRequest = JsonConvert.SerializeObject(todo);
             var jsoncontent = new StringContent(jsonRequest, Encoding.UTF8, "application/json");
-
-            var response = await this._httpClient.PostAsync($"{this._TodoListBaseAddress}/api/todolist", jsoncontent);
+            var response = await this._httpClient.PostAsync($"{ _TodoListBaseAddress}/api/todolist", jsoncontent);
 
             if (response.StatusCode == HttpStatusCode.OK)
             {
@@ -90,7 +68,7 @@ public async Task DeleteAsync(int id)
         {
             await PrepareAuthenticatedClient();
 
-            var response = await this._httpClient.DeleteAsync($"{this._TodoListBaseAddress}/api/todolist/{id}");
+            var response = await _httpClient.DeleteAsync($"{ _TodoListBaseAddress}/api/todolist/{id}");
 
             if (response.StatusCode == HttpStatusCode.OK)
             {
@@ -106,8 +84,7 @@ public async Task<Todo> EditAsync(Todo todo)
 
             var jsonRequest = JsonConvert.SerializeObject(todo);
             var jsoncontent = new StringContent(jsonRequest, Encoding.UTF8, "application/json-patch+json");
-
-            var response = await this._httpClient.PatchAsync($"{this._TodoListBaseAddress}/api/todolist/{todo.Id}", jsoncontent);
+            var response = await _httpClient.PatchAsync($"{ _TodoListBaseAddress}/api/todolist/{todo.Id}", jsoncontent);
 
             if (response.StatusCode == HttpStatusCode.OK)
             {
@@ -123,8 +100,7 @@ public async Task<Todo> EditAsync(Todo todo)
         public async Task<IEnumerable<Todo>> GetAsync()
         {
             await PrepareAuthenticatedClient();
-
-            var response = await this._httpClient.GetAsync($"{this._TodoListBaseAddress}/api/todolist");
+            var response = await _httpClient.GetAsync($"{ _TodoListBaseAddress}/api/todolist");
             if (response.StatusCode == HttpStatusCode.OK)
             {
                 var content = await response.Content.ReadAsStringAsync();
@@ -138,17 +114,16 @@ public async Task<IEnumerable<Todo>> GetAsync()
 
         private async Task PrepareAuthenticatedClient()
         {
-            var accessToken = await this._tokenAcquisition.GetAccessTokenForUserAsync(new[] { this._TodoListScope });
+            var accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(new[] { _TodoListScope });
             Debug.WriteLine($"access token-{accessToken}");
-            this._httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
-            this._httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
+            _httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
+            _httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
         }
 
         public async Task<Todo> GetAsync(int id)
         {
             await PrepareAuthenticatedClient();
-
-            var response = await this._httpClient.GetAsync($"{this._TodoListBaseAddress}/api/todolist/{id}");
+            var response = await _httpClient.GetAsync($"{ _TodoListBaseAddress}/api/todolist/{id}");
             if (response.StatusCode == HttpStatusCode.OK)
             {
                 var content = await response.Content.ReadAsStringAsync();

4-WebApp-your-API/4-1-MyOrg/Client/Services/TodoListService.cs

@@ -1,4 +1,7 @@
-using Microsoft.AspNetCore.Authorization;
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
@@ -7,7 +10,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.TokenCacheProviders.InMemory;
-using System.IdentityModel.Tokens.Jwt;
+
 using TodoListClient.Services;
 using Microsoft.Extensions.Hosting;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;

4-WebApp-your-API/4-1-MyOrg/Client/Startup.cs

@@ -22,6 +22,7 @@
   </ItemGroup>
 
   <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection.Abstractions" Version="3.1.1" />
     <PackageReference Include="Microsoft.Graph" Version="1.16.0" />
     <PackageReference Include="WindowsAzure.Storage" Version="9.3.3" />
   </ItemGroup>

4-WebApp-your-API/4-1-MyOrg/Client/TodoListClient.csproj

@@ -1,26 +1,5 @@
-/*
- The MIT License (MIT)
-
-Copyright (c) 2018 Microsoft Corporation
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
- */
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
 
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.Hosting;

4-WebApp-your-API/4-1-MyOrg/TodoListService/Program.cs

@@ -1,34 +1,13 @@
-/*
- The MIT License (MIT)
-
-Copyright (c) 2018 Microsoft Corporation
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
- */
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
 
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Identity.Web;
-using System.IdentityModel.Tokens.Jwt;
+
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 
 namespace TodoListService

4-WebApp-your-API/4-1-MyOrg/TodoListService/Startup.cs

@@ -0,0 +1,31 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Identity.Web;
+using System.Diagnostics;
+using WebApp_OpenIDConnect_DotNet.Models;
+
+namespace WebApp_OpenIDConnect_DotNet.Controllers
+{
+    [Authorize]
+    public class HomeController : Controller
+    {
+        private readonly ITokenAcquisition tokenAcquisition;
+
+        public HomeController(ITokenAcquisition tokenAcquisition)
+        {
+            this.tokenAcquisition = tokenAcquisition;
+        }
+
+        public IActionResult Index()
+        {
+            return View();
+        }
+
+        [AllowAnonymous]
+        [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
+        public IActionResult Error()
+        {
+            return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
+        }
+    }
+}

4-WebApp-your-API/4-2-B2C/Client/Controllers/HomeController.cs

@@ -0,0 +1,92 @@
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Identity.Web;
+using System.Threading.Tasks;
+using TodoListClient.Services;
+using TodoListService.Models;
+
+namespace TodoListClient.Controllers
+{
+    public class TodoListController : Controller
+    {
+        private ITodoListService _todoListService;
+
+        public TodoListController(ITodoListService todoListService)
+        {
+            _todoListService = todoListService;
+        }
+
+        // GET: TodoList
+        [AuthorizeForScopes(ScopeKeySection = "TodoList:TodoListScope")]
+        public async Task<ActionResult> Index()
+        {
+            return View(await _todoListService.GetAsync());
+        }
+
+        // GET: TodoList/Details/5
+        public async Task<ActionResult> Details(int id)
+        {
+            return View(await _todoListService.GetAsync(id));
+        }
+
+        // GET: TodoList/Create
+        public ActionResult Create()
+        {
+            Todo todo = new Todo() { Owner = HttpContext.User.Identity.Name };
+            return View(todo);
+        }
+
+        // POST: TodoList/Create
+        [HttpPost]
+        [ValidateAntiForgeryToken]
+        public async Task<ActionResult> Create([Bind("Title,Owner")] Todo todo)
+        {
+            await _todoListService.AddAsync(todo);
+            return RedirectToAction("Index");
+        }
+
+        // GET: TodoList/Edit/5
+        public async Task<ActionResult> Edit(int id)
+        {
+            Todo todo = await this._todoListService.GetAsync(id);
+
+            if (todo == null)
+            {
+                return NotFound();
+            }
+
+            return View(todo);
+        }
+
+        // POST: TodoList/Edit/5
+        [HttpPost]
+        [ValidateAntiForgeryToken]
+        public async Task<ActionResult> Edit(int id, [Bind("Id,Title,Owner")] Todo todo)
+        {
+            await _todoListService.EditAsync(todo);
+            return RedirectToAction("Index");
+        }
+
+        // GET: TodoList/Delete/5
+        public async Task<ActionResult> Delete(int id)
+        {
+            Todo todo = await this._todoListService.GetAsync(id);
+
+            if (todo == null)
+            {
+                return NotFound();
+            }
+
+            return View(todo);
+        }
+
+        // POST: TodoList/Delete/5
+        [HttpPost]
+        [ValidateAntiForgeryToken]
+        public async Task<ActionResult> Delete(int id, [Bind("Id,Title,Owner")] Todo todo)
+        {
+            await _todoListService.DeleteAsync(id);
+            return RedirectToAction("Index");
+        }
+    }
+}

4-WebApp-your-API/4-2-B2C/Client/Controllers/TodoListController.cs

@@ -0,0 +1,8 @@
+namespace WebApp_OpenIDConnect_DotNet.Infrastructure
+{
+    public static class Constants
+    {
+        public const string ScopeUserImpersonation = "user_impersonation";
+        public const string BearerAuthorizationScheme = "Bearer";
+    }
+}