Merge branch 'jennyf/b2cwebapi' into jmprieur/webappwebapib2c

Author: jmprieur

4-WebApp-your-API/Client/Program.cs

@@ -1,4 +1,7 @@
-using Microsoft.AspNetCore.Hosting;
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.Hosting;
 
 namespace WebApp_OpenIDConnect_DotNet

4-WebApp-your-API/Client/Services/TodoListService.cs

@@ -1,26 +1,5 @@
-/*
- The MIT License (MIT)
-
-Copyright (c) 2018 Microsoft Corporation
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
- */
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
 
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Configuration;
@@ -59,11 +38,11 @@ public class TodoListService : ITodoListService
 
         public TodoListService(ITokenAcquisition tokenAcquisition, HttpClient httpClient, IConfiguration configuration, IHttpContextAccessor contextAccessor)
         {
-            this._httpClient = httpClient;
-            this._tokenAcquisition = tokenAcquisition;
-            this._contextAccessor = contextAccessor;
-            this._TodoListScope = configuration["TodoList:TodoListScope"];
-            this._TodoListBaseAddress = configuration["TodoList:TodoListBaseAddress"];
+            _httpClient = httpClient;
+            _tokenAcquisition = tokenAcquisition;
+            _contextAccessor = contextAccessor;
+            _TodoListScope = configuration["TodoList:TodoListScope"];
+            _TodoListBaseAddress = configuration["TodoList:TodoListBaseAddress"];
         }
 
         public async Task<Todo> AddAsync(Todo todo)
@@ -73,7 +52,7 @@ public async Task<Todo> AddAsync(Todo todo)
             var jsonRequest = JsonConvert.SerializeObject(todo);
             var jsoncontent = new StringContent(jsonRequest, Encoding.UTF8, "application/json");
 
-            var response = await this._httpClient.PostAsync($"{this._TodoListBaseAddress}/api/todolist", jsoncontent);
+            var response = await this._httpClient.PostAsync($"{ _TodoListBaseAddress}/api/todolist", jsoncontent);
 
             if (response.StatusCode == HttpStatusCode.OK)
             {
@@ -90,7 +69,7 @@ public async Task DeleteAsync(int id)
         {
             await PrepareAuthenticatedClient();
 
-            var response = await this._httpClient.DeleteAsync($"{this._TodoListBaseAddress}/api/todolist/{id}");
+            var response = await this._httpClient.DeleteAsync($"{ _TodoListBaseAddress}/api/todolist/{id}");
 
             if (response.StatusCode == HttpStatusCode.OK)
             {
@@ -107,7 +86,7 @@ public async Task<Todo> EditAsync(Todo todo)
             var jsonRequest = JsonConvert.SerializeObject(todo);
             var jsoncontent = new StringContent(jsonRequest, Encoding.UTF8, "application/json-patch+json");
 
-            var response = await this._httpClient.PatchAsync($"{this._TodoListBaseAddress}/api/todolist/{todo.Id}", jsoncontent);
+            var response = await _httpClient.PatchAsync($"{ _TodoListBaseAddress}/api/todolist/{todo.Id}", jsoncontent);
 
             if (response.StatusCode == HttpStatusCode.OK)
             {
@@ -124,7 +103,7 @@ public async Task<IEnumerable<Todo>> GetAsync()
         {
             await PrepareAuthenticatedClient();
 
-            var response = await this._httpClient.GetAsync($"{this._TodoListBaseAddress}/api/todolist");
+            var response = await _httpClient.GetAsync($"{ _TodoListBaseAddress}/api/todolist");
             if (response.StatusCode == HttpStatusCode.OK)
             {
                 var content = await response.Content.ReadAsStringAsync();
@@ -137,18 +116,18 @@ public async Task<IEnumerable<Todo>> GetAsync()
         }
 
         private async Task PrepareAuthenticatedClient()
-        {
-            var accessToken = await this._tokenAcquisition.GetAccessTokenForUserAsync(new[] { this._TodoListScope });
+         {
+            var accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(new[] { _TodoListScope });
             Debug.WriteLine($"access token-{accessToken}");
-            this._httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
-            this._httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
+            _httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
+            _httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
         }
 
         public async Task<Todo> GetAsync(int id)
         {
             await PrepareAuthenticatedClient();
 
-            var response = await this._httpClient.GetAsync($"{this._TodoListBaseAddress}/api/todolist/{id}");
+            var response = await _httpClient.GetAsync($"{ _TodoListBaseAddress}/api/todolist/{id}");
             if (response.StatusCode == HttpStatusCode.OK)
             {
                 var content = await response.Content.ReadAsStringAsync();

4-WebApp-your-API/Client/Startup.cs

@@ -1,4 +1,7 @@
-using Microsoft.AspNetCore.Authorization;
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
@@ -7,7 +10,6 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.TokenCacheProviders.InMemory;
-using System.IdentityModel.Tokens.Jwt;
 using TodoListClient.Services;
 using Microsoft.Extensions.Hosting;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;

4-WebApp-your-API/Client/TodoListClient.csproj

@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <TargetFramework>netcoreapp3.1</TargetFramework>
-    <UserSecretsId>aspnet-WebApp_OpenIDConnect_DotNet-81EA87AD-E64D-4755-A1CC-5EA47F49B5D8</UserSecretsId>
+    <UserSecretsId>aspnet-WebApp_OpenIDConnect_DotNet-81EA87AD-E64D-4755-A1CC-5EA47F49B5D9</UserSecretsId>
     <WebProject_DirectoryAccessLevelKey>0</WebProject_DirectoryAccessLevelKey>
   </PropertyGroup>
 

4-WebApp-your-API/TodoListService/Program.cs

@@ -1,26 +1,5 @@
-/*
- The MIT License (MIT)
-
-Copyright (c) 2018 Microsoft Corporation
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
- */
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
 
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.Hosting;

4-WebApp-your-API/TodoListService/Startup.cs

@@ -1,34 +1,12 @@
-/*
- The MIT License (MIT)
-
-Copyright (c) 2018 Microsoft Corporation
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
- */
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
 
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Identity.Web;
-using System.IdentityModel.Tokens.Jwt;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 
 namespace TodoListService

Microsoft.Identity.Web/AuthorizeForScopesAttribute.cs

@@ -45,6 +45,7 @@ public class AuthorizeForScopesAttribute : ExceptionFilterAttribute
         /// <param name="context">Context provided by ASP.NET Core</param>
         public override void OnException(ExceptionContext context)
         {
+            string[] incrementalConsentScopes = new string[] { };
             MsalUiRequiredException msalUiRequiredException = context.Exception as MsalUiRequiredException;
 
             if (msalUiRequiredException == null)
@@ -77,8 +78,12 @@ public override void OnException(ExceptionContext context)
                         }
 
                         scopes = new string[] { configuration.GetValue<string>(ScopeKeySection) };
+                        
+                        if (Scopes != null && Scopes.Length > 0 && scopes != null && scopes.Length > 0)
+                        {
+                           throw new InvalidOperationException("no scopes provided in scopes...");
+                        }
                     }
-
                     else
                         scopes = Scopes;
 

Microsoft.Identity.Web/Base64UrlHelpers.cs

@@ -0,0 +1,89 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Globalization;
+using System.Text;
+
+namespace Microsoft.Identity.Web
+{
+    internal static class Base64UrlHelpers
+    {
+        private const char Base64PadCharacter = '=';
+        private const char Base64Character62 = '+';
+        private const char Base64Character63 = '/';
+        private const char Base64UrlCharacter62 = '-';
+        private const char Base64UrlCharacter63 = '_';
+        private static readonly Encoding TextEncoding = Encoding.UTF8;
+
+        private static readonly string DoubleBase64PadCharacter = string.Format(CultureInfo.InvariantCulture, "{0}{0}",
+            Base64PadCharacter);
+
+        //
+        // The following functions perform base64url encoding which differs from regular base64 encoding as follows
+        // * padding is skipped so the pad character '=' doesn't have to be percent encoded
+        // * the 62nd and 63rd regular base64 encoding characters ('+' and '/') are replace with ('-' and '_')
+        // The changes make the encoding alphabet file and URL safe
+        // See RFC4648, section 5 for more info
+        //
+        public static string Encode(string arg)
+        {
+            if (arg == null)
+            {
+                return null;
+            }
+
+            return Encode(TextEncoding.GetBytes(arg));
+        }
+
+        public static string DecodeToString(string arg)
+        {
+            byte[] decoded = DecodeToBytes(arg);
+            return CreateString(decoded);
+        }
+
+        public static string CreateString(byte[] bytes)
+        {
+            return Encoding.UTF8.GetString(bytes, 0, bytes.Length);
+        }
+
+        public static byte[] DecodeToBytes(string arg)
+        {
+            string s = arg;
+            s = s.Replace(Base64UrlCharacter62, Base64Character62); // 62nd char of encoding
+            s = s.Replace(Base64UrlCharacter63, Base64Character63); // 63rd char of encoding
+
+            switch (s.Length % 4)
+            {
+                // Pad
+                case 0:
+                    break; // No pad chars in this case
+                case 2:
+                    s += DoubleBase64PadCharacter;
+                    break; // Two pad chars
+                case 3:
+                    s += Base64PadCharacter;
+                    break; // One pad char
+                default:
+                    throw new ArgumentException("Illegal base64url string!", nameof(arg));
+            }
+
+            return Convert.FromBase64String(s); // Standard base64 decoder
+        }
+
+        internal static string Encode(byte[] arg)
+        {
+            if (arg == null)
+            {
+                return null;
+            }
+
+            string s = Convert.ToBase64String(arg);
+            s = s.Split(Base64PadCharacter)[0]; // RemoveAccount any trailing padding
+            s = s.Replace(Base64Character62, Base64UrlCharacter62); // 62nd char of encoding
+            s = s.Replace(Base64Character63, Base64UrlCharacter63); // 63rd char of encoding
+
+            return s;
+        }
+    }
+}

Microsoft.Identity.Web/ClaimConstants.cs

@@ -14,6 +14,7 @@ public static class ClaimConstants
         public const string PreferredUserName = "preferred_username";
         public const string TenantId = "http://schemas.microsoft.com/identity/claims/tenantid";
         public const string Tid = "tid";
+        public const string ClientInfo = "client_info";
         // Older scope claim
         public const string Scope = "http://schemas.microsoft.com/identity/claims/scope";
         // Newer scope claim
@@ -23,6 +24,7 @@ public static class ClaimConstants
 
         // Policy claims
         public const string Acr = "acr";
+        public const string UserFlow = "http://schemas.microsoft.com/claims/authnclassreference";
         public const string Tfp = "tfp";
     }
 }

Microsoft.Identity.Web/ClaimsPrincipalExtensions.cs

@@ -23,9 +23,11 @@ public static string GetMsalAccountId(this ClaimsPrincipal claimsPrincipal)
             string tenantId = claimsPrincipal.GetTenantId();
             string userFlowId = claimsPrincipal.GetUserFlowId();
 
-            if (!string.IsNullOrWhiteSpace(nameIdentifierId) && !string.IsNullOrWhiteSpace(tenantId) && !string.IsNullOrWhiteSpace(userFlowId))
+            if (!string.IsNullOrWhiteSpace(nameIdentifierId) &&
+                !string.IsNullOrWhiteSpace(tenantId) &&
+                !string.IsNullOrWhiteSpace(userFlowId))
             {
-                // B2C pattern: {oid}-{tfp}.{tid}
+                // B2C pattern: {oid}-{userFlow}.{tid}
                 return $"{nameIdentifierId}-{userFlowId}.{tenantId}";
             }
             else if (!string.IsNullOrWhiteSpace(userObjectId) && !string.IsNullOrWhiteSpace(tenantId))
@@ -64,8 +66,9 @@ public static string GetTenantId(this ClaimsPrincipal claimsPrincipal)
             string tenantId = claimsPrincipal.FindFirstValue(ClaimConstants.Tid);
             if (string.IsNullOrEmpty(tenantId))
             {
-                tenantId = claimsPrincipal.FindFirstValue(ClaimConstants.TenantId);
+                return claimsPrincipal.FindFirstValue(ClaimConstants.TenantId);
             }
+
             return tenantId;
         }
 
@@ -125,7 +128,7 @@ public static string GetDisplayName(this ClaimsPrincipal claimsPrincipal)
             // Finally falling back to name
             return claimsPrincipal.FindFirstValue(ClaimConstants.Name);
         }
-        
+
         /// <summary>
         /// Gets the user flow id associated with the <see cref="ClaimsPrincipal"/>
         /// </summary>
@@ -134,6 +137,11 @@ public static string GetDisplayName(this ClaimsPrincipal claimsPrincipal)
         public static string GetUserFlowId(this ClaimsPrincipal claimsPrincipal)
         {
             string userFlowId = claimsPrincipal.FindFirstValue(ClaimConstants.Tfp);
+            if (string.IsNullOrEmpty(userFlowId))
+            {
+                return claimsPrincipal.FindFirstValue(ClaimConstants.UserFlow);
+            }
+
             return userFlowId;
         }