Merging from master and resolving the conflicts

Author: jmprieur

.gitignore

@@ -35,6 +35,7 @@
 /2-WebApp-graph-user/2-1-Call-MSGraph/.vs
 /2-WebApp-graph-user/2-1-Call-MSGraph/bin
 /2-WebApp-graph-user/2-1-Call-MSGraph/obj
+/2-WebApp-graph-user/2-1-Call-MSGraph/TestResults
 /2-WebApp-graph-user/2-2-TokenCache/.vs
 /2-WebApp-graph-user/2-2-TokenCache/bin
 /2-WebApp-graph-user/2-2-TokenCache/obj
@@ -110,22 +111,16 @@
 /4-WebApp-your-API/Client/bin/Release/netcoreapp2.2
 /4-WebApp-your-API/Client/obj/Debug/netcoreapp2.2
 /4-WebApp-your-API/Client/obj/Release/netcoreapp2.2
-/Microsoft.Identity.Web.Test/obj/Release/netcoreapp2.2
-/Microsoft.Identity.Web.Test/obj/Debug/netcoreapp2.2
-/5-WebApp-AuthZ/5-2-Groups/bin/Release/netcoreapp2.2
-/5-WebApp-AuthZ/5-1-Roles/bin/Release/netcoreapp2.2
+/Microsoft.Identity.Web.Test/obj
+/Microsoft.Identity.Web.Test/bin
+/5-WebApp-AuthZ/5-2-Groups/bin
+/5-WebApp-AuthZ/5-1-Roles/bin
 /4-WebApp-your-API/TodoListService/obj
 /4-WebApp-your-API/TodoListService/bin
 /4-WebApp-your-API/Client/obj
-/2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph/bin/Debug/netcoreapp2.2
+/2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph/bin
 /2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph/obj
-/2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph/bin/Release/netcoreapp2.2
-/Microsoft.Identity.Web.Test/bin/Release/netcoreapp2.2
 /Microsoft.Identity.Web.Test/obj
 /4-WebApp-your-API/4-2-B2C/.vs
 /4-WebApp-your-API/4-2-B2C/Client/obj
 /4-WebApp-your-API/4-2-B2C/TodoListService/obj
-/2-WebApp-graph-user/2-3-Multi-Tenant/.vs/WebApp-OpenIDConnect-DotNet
-/2-WebApp-graph-user/2-3-Multi-Tenant/bin/Debug/netcoreapp2.2
-/2-WebApp-graph-user/2-3-Multi-Tenant/obj
-/Microsoft.Identity.Web.Test/bin/Release/netcoreapp3.0

2-WebApp-graph-user/2-1-Call-MSGraph/AspnetCoreWebApp-calls-Microsoft-Graph.sln

@@ -7,8 +7,14 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "WebApp-OpenIDConnect-DotNet
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Identity.Web", "..\..\Microsoft.Identity.Web\Microsoft.Identity.Web.csproj", "{E0CEF26A-6CE6-4505-851B-6580D5564752}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{CD0BB564-6C1E-4FCE-B9AB-7C637FDEE569}"
+	ProjectSection(SolutionItems) = preProject
+		.editorconfig = .editorconfig
+	EndProjectSection
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Identity.Web.Test", "..\..\Microsoft.Identity.Web.Test\Microsoft.Identity.Web.Test.csproj", "{8CCEAE2A-BDF6-470C-B6DE-7FC81A74DBD7}"
+EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Identity.Web.UI", "..\..\Microsoft.Identity.Web.UI\Microsoft.Identity.Web.UI.csproj", "{8CC22202-F66C-4332-A4F0-A2C09EBA08EC}"
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Identity.Web.Test", "..\..\Microsoft.Identity.Web.Test\Microsoft.Identity.Web.Test.csproj", "{0EEC3E2E-69D0-4A7F-98D6-4386330F4965}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution

2-WebApp-graph-user/2-1-Call-MSGraph/WebApp-OpenIDConnect-DotNet.csproj

@@ -18,7 +18,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Graph" Version="1.14.0" />
+    <PackageReference Include="Microsoft.Graph" Version="1.21.0" />
   </ItemGroup>
 
   <ItemGroup>

2-WebApp-graph-user/2-2-TokenCache/README.md

@@ -175,6 +175,10 @@ Note: if you had used the automation to setup your application mentioned in [Ste
 
 Starting from the [previous phase of the tutorial](../../2-WebApp-graph-user/2-1-Call-MSGraph), the code was incrementally updated with the following steps:
 
+### Reference Microsoft.Extensions.Caching.SqlServer
+
+This sample proposes a distributed SQL token cache. To use it, you'll need to add a reference to the `Microsoft.Extensions.Caching.SqlServer` NuGet package
+
 ### Update the `Startup.cs` file to enable Token caching using Sql database.
 
 ```CSharp
@@ -205,6 +209,7 @@ The files `MSALAppSqlTokenCacheProvider.cs` and `MSALPerUserSqlTokenCacheProvide
 ## Next steps
 
 - Learn how to enable distributed caches in [token cache serialization](../2.2.%20token%20cache%20serialization)
+- Learn more about the [Distributed SQL Server Cache](https://docs.microsoft.com/aspnet/core/performance/caching/distributed#distributed-sql-server-cache)
 - Learn how the same principle you've just learnt can be used to call:
   - [several Microsoft APIs](../../3-WebApp-multi-APIs), which will enable you to learn how incremental consent and conditional access is managed in your Web App
   - 3rd party, or even [your own Web API](../../4-WebApp-your-API), which will enable you to learn about custom scopes

5-WebApp-AuthZ/5-2-Groups/Services/MicrosoftGraph-Rest/MSGraphService.cs

@@ -277,7 +277,7 @@ public async Task<UserGroupsAndDirectoryRoles> GetCurrentUserGroupsAndRolesAsync
         public async Task<List<Group>> GetMyMemberOfGroupsAsync(string accessToken)
         {
             List<Group> groups = new List<Group>();
-
+            PrepareAuthenticatedClient(accessToken); 
             // Get groups the current user is a direct member of.
             IUserMemberOfCollectionWithReferencesPage memberOfGroups = await graphServiceClient.Me.MemberOf.Request().GetAsync();
             if (memberOfGroups?.Count > 0)
@@ -378,4 +378,4 @@ await Task.Run(() =>
             }
         }
     }
-}
+}

Microsoft.Identity.Web.Test/WebApiServiceCollectionExtensionsTests.cs

@@ -0,0 +1,69 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using System;
+using System.Collections.Generic;
+using System.Text;
+using Xunit;
+using System.Linq;
+
+namespace Microsoft.Identity.Web.Test
+{
+    public class WebApiServiceCollectionExtensionsTests
+    {
+        [Fact]
+        public void TestAuthority()
+        {
+            // Arrange
+            JwtBearerOptions options = new JwtBearerOptions();
+
+            // Act and Assert
+            options.Authority = "https://login.microsoftonline.com/common";
+            WebApiServiceCollectionExtensions.EnsureAuthorityIsV2_0(options);
+            Assert.Equal("https://login.microsoftonline.com/common/v2.0", options.Authority);
+
+            options.Authority = "https://login.microsoftonline.us/organizations";
+            WebApiServiceCollectionExtensions.EnsureAuthorityIsV2_0(options);
+            Assert.Equal("https://login.microsoftonline.us/organizations/v2.0", options.Authority);
+
+            options.Authority = "https://login.microsoftonline.com/common/";
+            WebApiServiceCollectionExtensions.EnsureAuthorityIsV2_0(options);
+            Assert.Equal("https://login.microsoftonline.com/common/v2.0", options.Authority);
+
+            options.Authority = "https://login.microsoftonline.com/common/v2.0";
+            WebApiServiceCollectionExtensions.EnsureAuthorityIsV2_0(options);
+            Assert.Equal("https://login.microsoftonline.com/common/v2.0", options.Authority);
+
+
+            options.Authority = "https://login.microsoftonline.com/common/v2.0";
+            WebApiServiceCollectionExtensions.EnsureAuthorityIsV2_0(options);
+            Assert.Equal("https://login.microsoftonline.com/common/v2.0", options.Authority);
+
+        }
+
+        [Fact]
+        public void TestAudience()
+        {
+            JwtBearerOptions options = new JwtBearerOptions();
+
+            // Act and Assert
+            options.Audience = "https://localhost";
+            WebApiServiceCollectionExtensions.EnsureValidAudiencesContainsApiGuidIfGuidProvided(options);
+            Assert.True(options.TokenValidationParameters.ValidAudiences.Count() == 1);
+            Assert.True(options.TokenValidationParameters.ValidAudiences.First() == "https://localhost");
+
+            options.Audience = "api://1EE5A092-0DFD-42B6-88E5-C517C0141321";
+            WebApiServiceCollectionExtensions.EnsureValidAudiencesContainsApiGuidIfGuidProvided(options);
+            Assert.True(options.TokenValidationParameters.ValidAudiences.Count() == 1);
+            Assert.True(options.TokenValidationParameters.ValidAudiences.First() == "api://1EE5A092-0DFD-42B6-88E5-C517C0141321");
+
+            options.Audience = "1EE5A092-0DFD-42B6-88E5-C517C0141321";
+            WebApiServiceCollectionExtensions.EnsureValidAudiencesContainsApiGuidIfGuidProvided(options);
+            Assert.True(options.TokenValidationParameters.ValidAudiences.Count() == 2);
+            Assert.Contains("api://1EE5A092-0DFD-42B6-88E5-C517C0141321", options.TokenValidationParameters.ValidAudiences);
+            Assert.Contains("1EE5A092-0DFD-42B6-88E5-C517C0141321", options.TokenValidationParameters.ValidAudiences);
+
+        }
+    }
+}

Microsoft.Identity.Web/Microsoft.Identity.Web.csproj

@@ -34,7 +34,7 @@
   </ItemGroup>
 
   <ItemGroup Label="Build Tools" Condition="$([MSBuild]::IsOsPlatform('Windows'))">
-    <PackageReference Include="Microsoft.SourceLink.GitHub" Version="1.0.0-beta2-18618-05" PrivateAssets="All" />
+    <PackageReference Include="Microsoft.SourceLink.GitHub" Version="1.0.0" PrivateAssets="All" />
   </ItemGroup>
 
 

Microsoft.Identity.Web/TokenAcquisition.cs

@@ -309,31 +309,31 @@ private IConfidentialClientApplication BuildConfidentialClientApplication()
                 request.PathBase,
                 microsoftIdentityOptions.CallbackPath.Value ?? string.Empty);
 
-            string authority = string.Empty;
+            if (!applicationOptions.Instance.EndsWith("/"))
+                applicationOptions.Instance += "/";
+
+            string authority ;
             IConfidentialClientApplication app = null;
 
             if (microsoftIdentityOptions.IsB2C)
             {
-                authority = $"{applicationOptions.Instance.TrimEnd('/')}/tfp/{microsoftIdentityOptions.Domain}/{microsoftIdentityOptions.DefaultUserFlow}";
+                authority = $"{applicationOptions.Instance}tfp/{microsoftIdentityOptions.Domain}/{microsoftIdentityOptions.DefaultUserFlow}";
                 app = ConfidentialClientApplicationBuilder
                     .CreateWithApplicationOptions(applicationOptions)
                     .WithRedirectUri(currentUri)
                     .WithB2CAuthority(authority)
                     .Build();
             }
-
             else
             {
-                authority = $"{applicationOptions.Instance.TrimEnd('/')}/{applicationOptions.TenantId}/";
+                authority = $"{applicationOptions.Instance}{applicationOptions.TenantId}/";
                 app = ConfidentialClientApplicationBuilder
                     .CreateWithApplicationOptions(applicationOptions)
                     .WithRedirectUri(currentUri)
                     .WithAuthority(authority)
                     .Build();
             }
 
-            
-
             // Initialize token cache providers
             _tokenCacheProvider?.InitializeAsync(app.AppTokenCache);
             _tokenCacheProvider?.InitializeAsync(app.UserTokenCache);

Microsoft.Identity.Web/WebApiServiceCollectionExtensions.cs

@@ -166,15 +166,12 @@ public static AuthenticationBuilder AddProtectedWebApi(
                 if (string.IsNullOrWhiteSpace(options.Authority))
                     options.Authority = AuthorityHelpers.BuildAuthority(microsoftIdentityOptions);
 
-                if (!AuthorityHelpers.IsV2Authority(options.Authority))
-                    options.Authority += "/v2.0";
+                // This is an Microsoft identity platform Web API
+                EnsureAuthorityIsV2_0(options);
 
-                // The valid audiences are both the Client ID (options.Audience) and api://{ClientID}
-                options.TokenValidationParameters.ValidAudiences = new string[]
-                {
-                    // If the developer doesn't set the Audience on JwtBearerOptions, use ClientId from MicrosoftIdentityOptions
-                    options.Audience, $"api://{options.Audience ?? microsoftIdentityOptions.ClientId}"
-                };
+                // The valid audience could be given as Client Id or as Uri. 
+                // If it does not start with 'api://', this variant is added to the list of valid audiences.
+                EnsureValidAudiencesContainsApiGuidIfGuidProvided(options);
 
                 // If the developer registered an IssuerValidator, do not overwrite it
                 if (options.TokenValidationParameters.IssuerValidator == null)
@@ -248,5 +245,37 @@ public static IServiceCollection AddProtectedWebApiCallsProtectedWebApi(
 
             return services;
         }
+
+        /// <summary>
+        /// Ensures that the authority is a v2.0 authority
+        /// </summary>
+        /// <param name="options">Jwt bearer options read from the config file
+        /// or set by the developper, for which we want to ensure the authority
+        /// is a v2.0 authority</param>
+        internal static void EnsureAuthorityIsV2_0(JwtBearerOptions options)
+        {
+            var authority = options.Authority.Trim().TrimEnd('/');
+            if (!authority.EndsWith("v2.0"))
+                authority += "/v2.0";
+            options.Authority = authority;
+        }
+
+
+        /// <summary>
+        /// Ensure that if the audience is a GUID, api://{audience} is also added
+        /// as a valid audience (this is the default App ID URL in the app registration
+        /// portal)
+        /// </summary>
+        /// <param name="options">Jwt bearer options for which to ensure that
+        /// api://GUID is a valid audience</param>
+        internal static void EnsureValidAudiencesContainsApiGuidIfGuidProvided(JwtBearerOptions options)
+        {
+            var validAudiences = new List<string> { options.Audience };
+            if (!options.Audience.StartsWith("api://", StringComparison.OrdinalIgnoreCase)
+                                             && Guid.TryParse(options.Audience, out _))
+                validAudiences.Add($"api://{options.Audience}");
+
+            options.TokenValidationParameters.ValidAudiences = validAudiences;
+        }
     }
-}
+}