Renaming policy to user flow

Tiago Brenck · Tiago Brenck · commit 80b05cea0f14 · 2020-01-30T15:12:59.000-08:00
diff --git a/Microsoft.Identity.Web/AzureADB2COpenIDConnectEventHandlers.cs b/Microsoft.Identity.Web/AzureADB2COpenIDConnectEventHandlers.cs
@@ -12,7 +12,7 @@ namespace Microsoft.Identity.Web
 {
     internal class AzureADB2COpenIDConnectEventHandlers
     {
-        private IDictionary<string, string> _policyToIssuerAddress =
+        private IDictionary<string, string> _userFlowToIssuerAddress =
             new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
 
         public AzureADB2COpenIDConnectEventHandlers(string schemeName, MicrosoftIdentityOptions options)
@@ -28,13 +28,13 @@ public AzureADB2COpenIDConnectEventHandlers(string schemeName, MicrosoftIdentity
         public Task OnRedirectToIdentityProvider(RedirectContext context)
         {
             var defaultUserFlow = Options.DefaultUserFlow;
-            if (context.Properties.Items.TryGetValue(OidcConstants.PolicyKey, out var policy) &&
-                !string.IsNullOrEmpty(policy) &&
-                !string.Equals(policy, defaultUserFlow, StringComparison.OrdinalIgnoreCase))
+            if (context.Properties.Items.TryGetValue(OidcConstants.PolicyKey, out var userFlow) &&
+                !string.IsNullOrEmpty(userFlow) &&
+                !string.Equals(userFlow, defaultUserFlow, StringComparison.OrdinalIgnoreCase))
             {
                 context.ProtocolMessage.Scope = OpenIdConnectScope.OpenIdProfile;
                 context.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken;
-                context.ProtocolMessage.IssuerAddress = BuildIssuerAddress(context, defaultUserFlow, policy);
+                context.ProtocolMessage.IssuerAddress = BuildIssuerAddress(context, defaultUserFlow, userFlow);
                 context.Properties.Items.Remove(OidcConstants.PolicyKey);
             }
 
@@ -43,20 +43,20 @@ public Task OnRedirectToIdentityProvider(RedirectContext context)
 
         private string BuildIssuerAddress(RedirectContext context, string defaultUserFlow, string userFlow)
         {
-            if (!_policyToIssuerAddress.TryGetValue(userFlow, out var issuerAddress))
+            if (!_userFlowToIssuerAddress.TryGetValue(userFlow, out var issuerAddress))
             {
-                _policyToIssuerAddress[userFlow] = context.ProtocolMessage.IssuerAddress.ToLowerInvariant()
+                _userFlowToIssuerAddress[userFlow] = context.ProtocolMessage.IssuerAddress.ToLowerInvariant()
                     .Replace($"/{defaultUserFlow.ToLowerInvariant()}/", $"/{userFlow.ToLowerInvariant()}/");
             }
 
-            return _policyToIssuerAddress[userFlow];
+            return _userFlowToIssuerAddress[userFlow];
         }
 
         public Task OnRemoteFailure(RemoteFailureContext context)
         {
             context.HandleResponse();
             // Handle the error code that Azure Active Directory B2C throws when trying to reset a password from the login page 
-            // because password reset is not supported by a "sign-up or sign-in policy".
+            // because password reset is not supported by a "sign-up or sign-in user flow".
             // Below is a sample error message:
             // 'access_denied', error_description: 'AADB2C90118: The user has forgotten their password.
             // Correlation ID: f99deff4-f43b-43cc-b4e7-36141dbaf0a0
diff --git a/Microsoft.Identity.Web/ClaimsPrincipalExtensions.cs b/Microsoft.Identity.Web/ClaimsPrincipalExtensions.cs
@@ -11,8 +11,6 @@ namespace Microsoft.Identity.Web
     /// </summary>
     public static class ClaimsPrincipalExtensions
     {
-        // TODO: how to make this work with B2C, given that there is no tenant ID with B2C?
-
         /// <summary>
         /// Gets the Account identifier for an MSAL.NET account from a <see cref="ClaimsPrincipal"/>
         /// </summary>
@@ -23,12 +21,12 @@ public static string GetMsalAccountId(this ClaimsPrincipal claimsPrincipal)
             string userObjectId = claimsPrincipal.GetObjectId();
             string nameIdentifierId = claimsPrincipal.GetNameIdentifierId();
             string tenantId = claimsPrincipal.GetTenantId();
-            string policyId = claimsPrincipal.GetPolicyId();
+            string userFlowId = claimsPrincipal.GetUserFlowId();
 
-            if (!string.IsNullOrWhiteSpace(nameIdentifierId) && !string.IsNullOrWhiteSpace(tenantId) && !string.IsNullOrWhiteSpace(policyId))
+            if (!string.IsNullOrWhiteSpace(nameIdentifierId) && !string.IsNullOrWhiteSpace(tenantId) && !string.IsNullOrWhiteSpace(userFlowId))
             {
                 // B2C pattern: {oid}-{tfp}.{tid}
-                return $"{nameIdentifierId}-{policyId}.{tenantId}";
+                return $"{nameIdentifierId}-{userFlowId}.{tenantId}";
             }
             else if (!string.IsNullOrWhiteSpace(userObjectId) && !string.IsNullOrWhiteSpace(tenantId))
             {
@@ -129,14 +127,14 @@ public static string GetDisplayName(this ClaimsPrincipal claimsPrincipal)
         }
         
         /// <summary>
-        /// Gets the Policy Id associated with the <see cref="ClaimsPrincipal"/>
+        /// Gets the user flow id associated with the <see cref="ClaimsPrincipal"/>
         /// </summary>
-        /// <param name="claimsPrincipal">the <see cref="ClaimsPrincipal"/> from which to retrieve the policy id</param>
-        /// <returns>Policy Id of the identity, or <c>null</c> if it cannot be found</returns>
-        public static string GetPolicyId(this ClaimsPrincipal claimsPrincipal)
+        /// <param name="claimsPrincipal">the <see cref="ClaimsPrincipal"/> from which to retrieve the user flow id</param>
+        /// <returns>User Flow Id of the identity, or <c>null</c> if it cannot be found</returns>
+        public static string GetUserFlowId(this ClaimsPrincipal claimsPrincipal)
         {
-            string policyId = claimsPrincipal.FindFirstValue(ClaimConstants.Tfp);
-            return policyId;
+            string userFlowId = claimsPrincipal.FindFirstValue(ClaimConstants.Tfp);
+            return userFlowId;
         }
 
         /// <summary>
diff --git a/Microsoft.Identity.Web/TokenAcquisition.cs b/Microsoft.Identity.Web/TokenAcquisition.cs
@@ -247,7 +247,7 @@ public async Task RemoveAccountAsync(RedirectContext context)
             IConfidentialClientApplication app = GetOrBuildConfidentialClientApplication();
             IAccount account = null; 
             
-            // For B2C, we should remove all accounts of the user regardless the policy
+            // For B2C, we should remove all accounts of the user regardless the user flow
             if(_microsoftIdentityOptions.IsB2C)
             {
                 var b2cAccounts = await app.GetAccountsAsync().ConfigureAwait(false);
@@ -376,11 +376,11 @@ private async Task<string> GetAccessTokenOnBehalfOfUserFromCacheAsync(
                 }
             }
 
-            // If is B2C and could not get an account (most likely because there is no tid claims), try to get it by policy
+            // If is B2C and could not get an account (most likely because there is no tid claims), try to get it by user flow
             if (_microsoftIdentityOptions.IsB2C && account == null)
             {
-                string currentPolicy = claimsPrincipal.GetPolicyId();
-                account = GetAccountByPolicy(await application.GetAccountsAsync().ConfigureAwait(false), currentPolicy);
+                string currentUserFlow = claimsPrincipal.GetUserFlowId();
+                account = GetAccountByUserFlow(await application.GetAccountsAsync().ConfigureAwait(false), currentUserFlow);
             }
 
             return await GetAccessTokenOnBehalfOfUserFromCacheAsync(application, account, scopes, tenant).ConfigureAwait(false);
@@ -496,17 +496,17 @@ private static bool AcceptedTokenVersionMismatch(MsalUiRequiredException msalSev
         }
 
         /// <summary>
-        /// Gets an IAccount for the current B2C policy in the user claims
+        /// Gets an IAccount for the current B2C user flow in the user claims
         /// </summary>
         /// <param name="accounts"></param>
-        /// <param name="policy"></param>
+        /// <param name="userFlow"></param>
         /// <returns></returns>
-        private IAccount GetAccountByPolicy(IEnumerable<IAccount> accounts, string policy)
+        private IAccount GetAccountByUserFlow(IEnumerable<IAccount> accounts, string userFlow)
         {
             foreach (var account in accounts)
             {
                 string accountIdentifier = account.HomeAccountId.ObjectId.Split('.')[0];
-                if (accountIdentifier.EndsWith(policy.ToLower()))
+                if (accountIdentifier.EndsWith(userFlow.ToLower()))
                     return account;
             }
 
diff --git a/Microsoft.Identity.Web/WebAppServiceCollectionExtensions.cs b/Microsoft.Identity.Web/WebAppServiceCollectionExtensions.cs
@@ -248,8 +248,8 @@ public static AuthenticationBuilder AddSignIn(
 
                     if (microsoftIdentityOptions.IsB2C)
                     {
-                        // When a new Challenge is returned using any B2C policy different than sisu, we must change
-                        // the ProtocolMessage.IssuerAddress to the desired policy otherwise the redirect would use the sisu policy
+                        // When a new Challenge is returned using any B2C user flow different than susi, we must change
+                        // the ProtocolMessage.IssuerAddress to the desired user flow otherwise the redirect would use the susi user flow
                         await b2COidcHandlers.OnRedirectToIdentityProvider(context);
                     }
 
@@ -263,7 +263,7 @@ public static AuthenticationBuilder AddSignIn(
                     {
                         // Handles the error when a user cancels an action on the Azure Active Directory B2C UI.
                         // Handle the error code that Azure Active Directory B2C throws when trying to reset a password from the login page 
-                        // because password reset is not supported by a "sign-up or sign-in policy".
+                        // because password reset is not supported by a "sign-up or sign-in user flow".
                         await b2COidcHandlers.OnRemoteFailure(context);
 
                         await remoteFailureHandler(context).ConfigureAwait(false);

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ namespace Microsoft.Identity.Web`
`12`	`12`	`{`
`13`	`13`	`internal class AzureADB2COpenIDConnectEventHandlers`
`14`	`14`	`{`
`15`		`- private IDictionary<string, string> _policyToIssuerAddress =`
	`15`	`+ private IDictionary<string, string> _userFlowToIssuerAddress =`
`16`	`16`	`new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);`
`17`	`17`
`18`	`18`	`public AzureADB2COpenIDConnectEventHandlers(string schemeName, MicrosoftIdentityOptions options)`
`@@ -28,13 +28,13 @@ public AzureADB2COpenIDConnectEventHandlers(string schemeName, MicrosoftIdentity`
`28`	`28`	`public Task OnRedirectToIdentityProvider(RedirectContext context)`
`29`	`29`	`{`
`30`	`30`	`var defaultUserFlow = Options.DefaultUserFlow;`
`31`		`- if (context.Properties.Items.TryGetValue(OidcConstants.PolicyKey, out var policy) &&`
`32`		`- !string.IsNullOrEmpty(policy) &&`
`33`		`- !string.Equals(policy, defaultUserFlow, StringComparison.OrdinalIgnoreCase))`
	`31`	`+ if (context.Properties.Items.TryGetValue(OidcConstants.PolicyKey, out var userFlow) &&`
	`32`	`+ !string.IsNullOrEmpty(userFlow) &&`
	`33`	`+ !string.Equals(userFlow, defaultUserFlow, StringComparison.OrdinalIgnoreCase))`
`34`	`34`	`{`
`35`	`35`	`context.ProtocolMessage.Scope = OpenIdConnectScope.OpenIdProfile;`
`36`	`36`	`context.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken;`
`37`		`- context.ProtocolMessage.IssuerAddress = BuildIssuerAddress(context, defaultUserFlow, policy);`
	`37`	`+ context.ProtocolMessage.IssuerAddress = BuildIssuerAddress(context, defaultUserFlow, userFlow);`
`38`	`38`	`context.Properties.Items.Remove(OidcConstants.PolicyKey);`
`39`	`39`	`}`
`40`	`40`
`@@ -43,20 +43,20 @@ public Task OnRedirectToIdentityProvider(RedirectContext context)`
`43`	`43`
`44`	`44`	`private string BuildIssuerAddress(RedirectContext context, string defaultUserFlow, string userFlow)`
`45`	`45`	`{`
`46`		`- if (!_policyToIssuerAddress.TryGetValue(userFlow, out var issuerAddress))`
	`46`	`+ if (!_userFlowToIssuerAddress.TryGetValue(userFlow, out var issuerAddress))`
`47`	`47`	`{`
`48`		`- _policyToIssuerAddress[userFlow] = context.ProtocolMessage.IssuerAddress.ToLowerInvariant()`
	`48`	`+ _userFlowToIssuerAddress[userFlow] = context.ProtocolMessage.IssuerAddress.ToLowerInvariant()`
`49`	`49`	`.Replace($"/{defaultUserFlow.ToLowerInvariant()}/", $"/{userFlow.ToLowerInvariant()}/");`
`50`	`50`	`}`
`51`	`51`
`52`		`- return _policyToIssuerAddress[userFlow];`
	`52`	`+ return _userFlowToIssuerAddress[userFlow];`
`53`	`53`	`}`
`54`	`54`
`55`	`55`	`public Task OnRemoteFailure(RemoteFailureContext context)`
`56`	`56`	`{`
`57`	`57`	`context.HandleResponse();`
`58`	`58`	`// Handle the error code that Azure Active Directory B2C throws when trying to reset a password from the login page`
`59`		`- // because password reset is not supported by a "sign-up or sign-in policy".`
	`59`	`+ // because password reset is not supported by a "sign-up or sign-in user flow".`
`60`	`60`	`// Below is a sample error message:`
`61`	`61`	`// 'access_denied', error_description: 'AADB2C90118: The user has forgotten their password.`
`62`	`62`	`// Correlation ID: f99deff4-f43b-43cc-b4e7-36141dbaf0a0`
Original file line number	Diff line number	Diff line change
`@@ -247,7 +247,7 @@ public async Task RemoveAccountAsync(RedirectContext context)`
`247`	`247`	`IConfidentialClientApplication app = GetOrBuildConfidentialClientApplication();`
`248`	`248`	`IAccount account = null;`
`249`	`249`
`250`		`- // For B2C, we should remove all accounts of the user regardless the policy`
	`250`	`+ // For B2C, we should remove all accounts of the user regardless the user flow`
`251`	`251`	`if(_microsoftIdentityOptions.IsB2C)`
`252`	`252`	`{`
`253`	`253`	`var b2cAccounts = await app.GetAccountsAsync().ConfigureAwait(false);`
`@@ -376,11 +376,11 @@ private async Task<string> GetAccessTokenOnBehalfOfUserFromCacheAsync(`
`376`	`376`	`}`
`377`	`377`	`}`
`378`	`378`
`379`		`- // If is B2C and could not get an account (most likely because there is no tid claims), try to get it by policy`
	`379`	`+ // If is B2C and could not get an account (most likely because there is no tid claims), try to get it by user flow`
`380`	`380`	`if (_microsoftIdentityOptions.IsB2C && account == null)`
`381`	`381`	`{`
`382`		`- string currentPolicy = claimsPrincipal.GetPolicyId();`
`383`		`- account = GetAccountByPolicy(await application.GetAccountsAsync().ConfigureAwait(false), currentPolicy);`
	`382`	`+ string currentUserFlow = claimsPrincipal.GetUserFlowId();`
	`383`	`+ account = GetAccountByUserFlow(await application.GetAccountsAsync().ConfigureAwait(false), currentUserFlow);`
`384`	`384`	`}`
`385`	`385`
`386`	`386`	`return await GetAccessTokenOnBehalfOfUserFromCacheAsync(application, account, scopes, tenant).ConfigureAwait(false);`
`@@ -496,17 +496,17 @@ private static bool AcceptedTokenVersionMismatch(MsalUiRequiredException msalSev`
`496`	`496`	`}`
`497`	`497`
`498`	`498`	`/// <summary>`
`499`		`- /// Gets an IAccount for the current B2C policy in the user claims`
	`499`	`+ /// Gets an IAccount for the current B2C user flow in the user claims`
`500`	`500`	`/// </summary>`
`501`	`501`	`/// <param name="accounts"></param>`
`502`		`- /// <param name="policy"></param>`
	`502`	`+ /// <param name="userFlow"></param>`
`503`	`503`	`/// <returns></returns>`
`504`		`- private IAccount GetAccountByPolicy(IEnumerable<IAccount> accounts, string policy)`
	`504`	`+ private IAccount GetAccountByUserFlow(IEnumerable<IAccount> accounts, string userFlow)`
`505`	`505`	`{`
`506`	`506`	`foreach (var account in accounts)`
`507`	`507`	`{`
`508`	`508`	`string accountIdentifier = account.HomeAccountId.ObjectId.Split('.')[0];`
`509`		`- if (accountIdentifier.EndsWith(policy.ToLower()))`
	`509`	`+ if (accountIdentifier.EndsWith(userFlow.ToLower()))`
`510`	`510`	`return account;`
`511`	`511`	`}`
`512`	`512`
Original file line number	Diff line number	Diff line change
`@@ -248,8 +248,8 @@ public static AuthenticationBuilder AddSignIn(`
`248`	`248`
`249`	`249`	`if (microsoftIdentityOptions.IsB2C)`
`250`	`250`	`{`
`251`		`- // When a new Challenge is returned using any B2C policy different than sisu, we must change`
`252`		`- // the ProtocolMessage.IssuerAddress to the desired policy otherwise the redirect would use the sisu policy`
	`251`	`+ // When a new Challenge is returned using any B2C user flow different than susi, we must change`
	`252`	`+ // the ProtocolMessage.IssuerAddress to the desired user flow otherwise the redirect would use the susi user flow`
`253`	`253`	`await b2COidcHandlers.OnRedirectToIdentityProvider(context);`
`254`	`254`	`}`
`255`	`255`
`@@ -263,7 +263,7 @@ public static AuthenticationBuilder AddSignIn(`
`263`	`263`	`{`
`264`	`264`	`// Handles the error when a user cancels an action on the Azure Active Directory B2C UI.`
`265`	`265`	`// Handle the error code that Azure Active Directory B2C throws when trying to reset a password from the login page`
`266`		`- // because password reset is not supported by a "sign-up or sign-in policy".`
	`266`	`+ // because password reset is not supported by a "sign-up or sign-in user flow".`
`267`	`267`	`await b2COidcHandlers.OnRemoteFailure(context);`
`268`	`268`
`269`	`269`	`await remoteFailureHandler(context).ConfigureAwait(false);`