Doc updates.

pmaytak · pmaytak · commit 66ee9746b1c3 · 2020-07-13T10:45:36.000-07:00
diff --git a/5-WebApp-AuthZ/5-1-Roles/README-incremental-instructions.md b/5-WebApp-AuthZ/5-1-Roles/README-incremental-instructions.md
@@ -154,12 +154,12 @@ When you click on the page that fetches the signed-in user's roles and group ass
 
 ### Support in ASP.NET Core middleware libraries
 
-The asp.net middleware supports roles populated from claims by specifying the claim in the `RoleClaimType` property of `TokenValidationParameters`.
+The ASP.NET middleware supports roles populated from claims by specifying the claim in the `RoleClaimType` property of `TokenValidationParameters`.
 
 ```CSharp
 
 // Startup.cs
-public static IServiceCollection AddMicrosoftWebApp(this IServiceCollection services, IConfiguration configuration, X509Certificate2 tokenDecryptionCertificate = null)
+public void ConfigureServices(IServiceCollection services)
 {
             // [removed for brevity]
 
@@ -171,7 +171,7 @@ public static IServiceCollection AddMicrosoftWebApp(this IServiceCollection serv
 
             // The following lines code instruct the asp.net core middleware to use the data in the "groups" claim in the Authorize attribute and User.IsInrole()
             // See https://docs.microsoft.com/aspnet/core/security/authorization/roles?view=aspnetcore-2.2 for more info.
-            services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
+            services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
             {
                 // Use the groups claim for populating roles
                 options.TokenValidationParameters.RoleClaimType = "roles";
@@ -183,7 +183,8 @@ public static IServiceCollection AddMicrosoftWebApp(this IServiceCollection serv
                 options.AddPolicy(AuthorizationPolicies.AssignmentToUserReaderRoleRequired, policy => policy.RequireRole(AppRole.UserReaders));
                 options.AddPolicy(AuthorizationPolicies.AssignmentToDirectoryViewerRoleRequired, policy => policy.RequireRole(AppRole.DirectoryViewers));
             });
-        // [removed for brevity]
+
+            // [removed for brevity]
 }
 
 // In code..(Controllers & elsewhere)
@@ -198,19 +199,14 @@ The following files have the code that would be of interest to you.
 
 1. HomeController.cs
     1. Passes the **HttpContext.User** (the signed-in user) to the view.
-1 Services\GraphServiceClientFactory.cs
+1. Services\GraphServiceClientFactory.cs
     1. Uses the [Microsoft Graph SDK](https://github.com/microsoftgraph/msgraph-sdk-dotnet) to carry out various operations with [Microsoft Graph](https://graph.microsoft.com).
 1. Home\Index.cshtml
     1. This has some code to print the current user's claims
 
-1. Startup.cs
-
 1. In the `ConfigureServices` method of `Startup.cs', add the following lines:
 
     ```CSharp
-    services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
-                  .AddAzureAD(options => Configuration.Bind("AzureAd", options));
-    
     //This enables your application to use the Microsoft identity platform endpoint. This endpoint is capable of signing-in users both with their Work and School and Microsoft Personal accounts.
     services.AddMicrosoftWebAppAuthentication(Configuration)
             .AddMicrosoftWebAppCallsWebApi(Configuration, new string[] { Constants.ScopeUserRead })
@@ -225,19 +221,15 @@ The following files have the code that would be of interest to you.
     JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
     ```
 
-1. In the `HomeController.cs`, the following method is added with the `Authorize` attribute with the name of the app role **UserReaders**, that permits listing of users in the tenant.
-
-    ```CSharp
-    [Authorize(Policy = AuthorizationPolicies.AssignmentToDirectoryViewerRoleRequired)]
-    public async Task<IActionResult> Users()
-    {
-     ```
-
-1. In the `ConfigureServices` method of `Startup.cs', the following line instructs the asp.net security middleware to use the **roles** claim to fetch roles for authorization:
+1. In the `ConfigureServices` method of `Startup.cs', the following lines instruct the ASP.NET security middleware to use the **roles** claim to fetch roles for authorization:
 
      ```CSharp
-    // The claim in the Jwt token where App roles are available.
-    options.TokenValidationParameters.RoleClaimType = "roles";
+    // Add this configuration after the call to `AddMicrosoftWebAppAuthentication`.
+    services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
+    {
+        // The claim in the JWT token where App roles are available.
+        options.TokenValidationParameters.RoleClaimType = "roles";
+    });
 
      // Adding authorization policies that enforce authorization using Azure AD roles.
     services.AddAuthorization(options => 
@@ -247,6 +239,14 @@ The following files have the code that would be of interest to you.
     });
      ```
 
+1. In the `HomeController.cs`, the following method is added with the `Authorize` attribute with the name of the app role **UserReaders**, that permits listing of users in the tenant.
+
+    ```CSharp
+    [Authorize(Policy = AuthorizationPolicies.AssignmentToDirectoryViewerRoleRequired)]
+    public async Task<IActionResult> Users()
+    {
+     ```
+
 1. A new class called `AccountController.cs` is introduced. This contains the code to intercept the default AccessDenied error's route and present the user with an option to sign-out and sign-back in with a different account that has access to the required role.
 
     ```CSharp
diff --git a/5-WebApp-AuthZ/5-1-Roles/README.md b/5-WebApp-AuthZ/5-1-Roles/README.md
@@ -229,12 +229,12 @@ When you click on the page that fetches the signed-in user's roles and group ass
 
 ### Support in ASP.NET Core middleware libraries
 
-The asp.net middleware supports roles populated from claims by specifying the claim in the `RoleClaimType` property of `TokenValidationParameters`.
+The ASP.NET middleware supports roles populated from claims by specifying the claim in the `RoleClaimType` property of `TokenValidationParameters`.
 
 ```CSharp
 
 // Startup.cs
-public static IServiceCollection AddMicrosoftWebApp(this IServiceCollection services, IConfiguration configuration, X509Certificate2 tokenDecryptionCertificate = null)
+public void ConfigureServices(IServiceCollection services)
 {
             // [removed for] brevity
 
@@ -246,7 +246,7 @@ public static IServiceCollection AddMicrosoftWebApp(this IServiceCollection serv
 
             // The following lines code instruct the asp.net core middleware to use the data in the "groups" claim in the Authorize attribute and User.IsInrole()
             // See https://docs.microsoft.com/aspnet/core/security/authorization/roles?view=aspnetcore-2.2 for more info.
-            services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
+            services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
             {
                 // Use the groups claim for populating roles
                 options.TokenValidationParameters.RoleClaimType = "roles";
@@ -258,7 +258,8 @@ public static IServiceCollection AddMicrosoftWebApp(this IServiceCollection serv
                 options.AddPolicy(AuthorizationPolicies.AssignmentToUserReaderRoleRequired, policy => policy.RequireRole(AppRole.UserReaders));
                 options.AddPolicy(AuthorizationPolicies.AssignmentToDirectoryViewerRoleRequired, policy => policy.RequireRole(AppRole.DirectoryViewers));
             });
-        // [removed for] brevity
+
+            // [removed for] brevity
 }
 
 // In code..(Controllers & elsewhere)
@@ -286,14 +287,14 @@ This project was created using the following command.
 1. Add a reference from your newly generated project to `Microsoft.Identity.Web` (right click on the **Dependencies** node under your new project, and choose **Add Reference ...**, and then in the projects tab find the `Microsoft.Identity.Web` project)
 1. Open the **Startup.cs** file and:
 
-   - in the `ConfigureServices` method, the following lines have been replaced :
+   - in the `ConfigureServices` method, the following lines:
 
      ```CSharp
       services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
               .AddAzureAD(options => Configuration.Bind("AzureAd", options));
-
-     // by these lines:
-
+     ```
+      have been replaced by these lines:
+     ```CSharp
      //This enables your application to use the Microsoft identity platform endpoint. This endpoint is capable of signing-in users both with their Work and School and Microsoft Personal accounts.
             services.AddMicrosoftWebAppAuthentication(Configuration)
                     .AddMicrosoftWebAppCallsWebApi(Configuration, new string[] { Constants.ScopeUserRead })
@@ -302,7 +303,7 @@ This project was created using the following command.
         services.AddGraphService(Configuration);    // Adds the IMSGraphService as an available service for this app.
      ```
 
-1. In the `ConfigureServices` method of `Startup.cs', add the following line:
+1. In the `ConfigureServices` method of `Startup.cs', add the following lines:
 
      ```CSharp
             // This is required to be instantiated before the OpenIdConnectOptions starts getting configured.
@@ -319,11 +320,15 @@ This project was created using the following command.
             });
      ```
 
-1. In the `ConfigureServices` method of `Startup.cs', the following line instructs the asp.net security middleware to use the **roles** claim to fetch roles for authorization:
+1. In the `ConfigureServices` method of `Startup.cs', the following lines instruct the ASP.NET security middleware to use the **roles** claim to fetch roles for authorization.
 
      ```CSharp
-     // The claim in the Jwt token where App roles are available.
-     options.TokenValidationParameters.RoleClaimType = "roles";
+    // Add this configuration after the call to `AddMicrosoftWebAppAuthentication`.
+    services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
+    {
+        // The claim in the JWT token where App roles are available.
+        options.TokenValidationParameters.RoleClaimType = "roles";
+    });
      ```
 
 1. In the `HomeController.cs`, the following method is added with the `Authorize` attribute with the name of the policy that enforces that the signed-in user is present in the app role **UserReaders**, that permits listing of users in the tenant.
diff --git a/5-WebApp-AuthZ/5-2-Groups/README-incremental-instructions.md b/5-WebApp-AuthZ/5-2-Groups/README-incremental-instructions.md
@@ -218,7 +218,7 @@ The following files have the code that would be of interest to you:
     1. Passes the **HttpContext.User** (the signed-in user) to the view.
 1. UserProfileController.cs
     1. Uses the **IMSGraphService** methods to fetch the signed-in user's group memberships.
-1 IMSGraphService.cs, MSGraphService.cs and UserGroupsAndDirectoryRoles.cs
+1. IMSGraphService.cs, MSGraphService.cs and UserGroupsAndDirectoryRoles.cs
     1. Uses the [Microsoft Graph SDK](https://github.com/microsoftgraph/msgraph-sdk-dotnet) to carry out various operations with [Microsoft Graph](https://graph.microsoft.com).
 1. Home\Index.cshtml
     1. This has some code to print the current user's claims
@@ -232,14 +232,14 @@ The following files have the code that would be of interest to you:
          using Microsoft.Identity.Web;
       ```
 
-   - in the `ConfigureServices` method, the following lines have been replaced :
+   - in the `ConfigureServices` method, the following lines:
 
      ```CSharp
       services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
               .AddAzureAD(options => Configuration.Bind("AzureAd", options));
      ```
 
-    - by these lines:
+    - have been replaced by these lines::
 
       ```CSharp
       services.AddMicrosoftWebAppAuthentication(Configuration)
diff --git a/5-WebApp-AuthZ/5-2-Groups/README.md b/5-WebApp-AuthZ/5-2-Groups/README.md
@@ -232,8 +232,8 @@ The object id of the security groups the signed in user is member of is returned
 
 ### Support in ASP.NET Core middleware libraries
 
-The asp.net middleware supports roles populated from claims by specifying the claim in the `RoleClaimType` property of `TokenValidationParameters`.
-Since the `groups` claim contains the object ids of the security groups than actual names by default, you'd use the group id's instead of group names. See [Role-based authorization in ASP.NET Core](https://docs.microsoft.com/aspnet/core/security/authorization/roles) for more info.
+The ASP.NET middleware supports roles populated from claims by specifying the claim in the `RoleClaimType` property of `TokenValidationParameters`.
+Since the `groups` claim contains the object IDs of the security groups than actual names by default, you'd use the group ID's instead of group names. See [Role-based authorization in ASP.NET Core](https://docs.microsoft.com/aspnet/core/security/authorization/roles) for more info.
 
 ```CSharp
 // Startup.cs
@@ -328,7 +328,7 @@ The following files have the code that would be of interest to you:
     1. Passes the **HttpContext.User** (the signed-in user) to the view.
 1. UserProfileController.cs
     1. Uses the **IMSGraphService** methods to fetch the signed-in user's group memberships.
-1 IMSGraphService.cs, MSGraphService.cs and UserGroupsAndDirectoryRoles.cs
+1. IMSGraphService.cs, MSGraphService.cs and UserGroupsAndDirectoryRoles.cs
     1. Uses the [Microsoft Graph SDK](https://github.com/microsoftgraph/msgraph-sdk-dotnet) to carry out various operations with [Microsoft Graph](https://graph.microsoft.com).
 1. Home\Index.cshtml
     1. This has some code to print the current user's claims
@@ -342,16 +342,16 @@ The following files have the code that would be of interest to you:
          using Microsoft.Identity.Web;
       ```
 
-   - in the `ConfigureServices` method, the following lines have been replaced :
+   - in the `ConfigureServices` method, the following lines:
 
      ```CSharp
       services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
               .AddAzureAD(options => Configuration.Bind("AzureAd", options));
      ```
 
-    - by these lines:
-
-      ```CSharp
+   - have been replaced by these lines:
+   - 
+     ```CSharp
       services.AddMicrosoftWebAppAuthentication(Configuration)
               .AddMicrosoftWebAppCallsWebApi(Configuration, new string[] { "User.Read", "Directory.Read.All" })
               .AddInMemoryTokenCaches();
diff --git a/5-WebApp-AuthZ/5-2-Groups/Startup.cs b/5-WebApp-AuthZ/5-2-Groups/Startup.cs
@@ -42,6 +42,13 @@ public void ConfigureServices(IServiceCollection services)
 
             services.AddMSGraphService(Configuration);
 
+            services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options => {
+                // Uncomment the following lines code instruct the asp.net core middleware to use the data in the "groups" claim in the [Authorize] attribute and for User.IsInrole()
+                // See https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles for more info.
+                // Use the groups claim for populating roles
+                options.TokenValidationParameters.RoleClaimType = "groups";
+            });
+
             services.AddControllersWithViews(options =>
             {
                 var policy = new AuthorizationPolicyBuilder()
