Preparing Microsoft.Identity.Web for being distributed as a NuGet package #153
Conversation
1) Merging the content from microsoft-authentication-extensions-for-dotnet Web 2) Aligning the namespaces with the folder strucuture 3) Renaming files and classes per the style used in MSAL.NET
jmprieur
requested review from
kalyankrishna1,
MarkZuber,
bgavrilMS and
TiagoBrenck
2-WebApp-graph-user/2-1-Call-MSGraph/Controllers/HomeController.cs
Outdated
Show resolved
Hide resolved
| new ClaimsIdentity(new Claim[] | ||
| { | ||
| new Claim(ClaimConstants.Oid, account.HomeAccountId.ObjectId), | ||
| new Claim(ClaimConstants.Tid, account.HomeAccountId.TenantId), |
There was a problem hiding this comment.
It used to work before, and I have not changed the semantics. This should. Do you have a concern here, @bgavrilMS ?
There was a problem hiding this comment.
@jmprieur I don't know if this was Bogdan's concern, but TID is not presented on B2C tokens.
Microsoft.Identity.Web/Client/TokenCacheProviders/IMSALAppTokenCacheProvider.cs
Show resolved
Hide resolved
|
Thanks @bgavrilMS Also added documentation for the library. See Microsoft.Identity.Web/README.md |
There was a problem hiding this comment.
@jmprieur I believe we will face many challenges after releasing this package, but the community will help us to improve it and adjust it to be more generic. Having that said, I have a few considerations that I would like to point:
- We are expecting in many places that the config file have a section called
AzureAD. This requirement should be documented somewhere. - Is it possible to have more unit tests?
- The method
GetMsalAccountIdonClaimsPrincipalExtensionswont work for B2C apps because their tokens don't havetid. Hence, none of the token cache providers would be able to save the token cache. So, while we think about the B2C scenario, we should mention that the library wont be compatible to B2C yet. - On
MsalAppSqlTokenCacheProviderExtensionwe have the config:options.UseSqlServer(sqlTokenCacheOptions.SqlConnectionString)). This is enforcing the users to use SqlServer. What should be our approach here? Is there a way for the developer to configure it with whatever DB tool they want? - If we use the config
JwtSecurityTokenHandler.DefaultMapInboundClaims = falsethenoptions.TokenValidationParameters.NameClaimTypemust be set to name onJwtBearerOptions - If the developers want to use KeyVault to store their client secret for example, this code wouldn't allow them to use it out of the box, because it expects the client secret to be in the
appsetting.json. We need to find a strategy that decouples theIConfidentialClientApplicationbuild from theappsetting.jsonsection but this is a tricky one.
Great work Jean-Marc!
|
FYI. I think there is a bug in MsalAppMemoryTokenCacheProvider where See #162. #Resolved |
Microsoft.Identity.Web/MsalUiRequiredExceptionFilterAttribute.cs
Outdated
Show resolved
Hide resolved
| /// <param name="acceptedScopes">Scopes accepted by this web API</param> | ||
| /// <exception cref="HttpRequestException"/> with a <see cref="HttpResponse.StatusCode"/> set to | ||
| /// <see cref="HttpStatusCode.Unauthorized"/> | ||
| public static void VerifyUserHasAnyAcceptedScope(this HttpContext context, params string[] acceptedScopes) |
There was a problem hiding this comment.
VerifyUserHasAnyAcceptedScope [](start = 27, length = 29)
This pattern requires a call to this method to be placed in each and every one of every controller methods, which is very excessive. A check for needed scopes can be done in middleware, preferably after the token has been validated.
There was a problem hiding this comment.
I disagree on this one, @kalyankrishna1 : you are assuming that the web app / web api will have only one controller / action. I believe that real life applications have several actions, which would be each protected by their scope (at least the developer should chose)
Microsoft.Identity.Web/TokenCacheProviders/InMemory/MsalAppMemoryTokenCacheProvider.cs
Outdated
Show resolved
Hide resolved
Microsoft.Identity.Web/TokenCacheProviders/InMemory/MsalAppMemoryTokenCacheProvider.cs
Outdated
Show resolved
Hide resolved
Microsoft.Identity.Web/TokenCacheProviders/Sql/AppTokenCache.cs
Outdated
Show resolved
Hide resolved
| } | ||
|
|
||
| /// <summary> | ||
| /// Reads the cache data from the backend database. | ||
| /// </summary> | ||
| private void ReadCacheForSignedInApp(TokenCacheNotificationArgs args) | ||
| { | ||
| if (this.InMemoryCache == null) // first time access | ||
| if (_inMemoryCache == null) // first time access |
There was a problem hiding this comment.
I'm not sure waht value the in memory cache is providing because in order to determine whether you need to invalidate the cache, you have to query the DB anyway so you're already incurring the sql round trip and request cost. The only thing you're saving is the additional data coming across the wire which is very minimal in this case. I'd propose to simplify this code and remove the in memory cache for SQL.
There was a problem hiding this comment.
@kalyankrishna1 : what did you have in mind?
There was a problem hiding this comment.
Took me a while to remember, I couldn't believe this myself . This is a carry over from a perf improvement when Sql cache was sort of singleton for the whole app and this updated the cache when MSAL updated the cache. Not needed any more as the cache is scoped in aspnet lifecycle
There was a problem hiding this comment.
@kalyankrishna1 : shall I propose a PR to get rid of it?
cc: @MarkZuber
There was a problem hiding this comment.
I already have a PR going, expect it today
Microsoft.Identity.Web/TokenCacheProviders/Sql/MsalPerUserSqlTokenCacheProvider.cs
Outdated
Show resolved
Hide resolved
Microsoft.Identity.Web/TokenCacheProviders/Sql/TokenCacheDbContext.cs
Outdated
Show resolved
Hide resolved
…dWebApiWithMicrosoftIdentityPlatformV2
…takes the configuration (and optional parameters to let the developer choose the options section) => all the Startup.cs file using it are modified. Simplifying the implementation of the token cache serializers by creating a IMsalTokenCacheProvider interface and a MsalAbstractTokenCacheProvider class implementing the common code in all the token cache providers. Fixing a few code smells (including ConfigureAwait(false) where needed. Chaning the CallGraph solution to be a Visual Studio 2019 solution.
…eProvider, adding a class diagram and improving a README.md
…mAuthentication - Renamed AddProtectedWebApiWithMicrosoftIdentityPlatformV2 into AddProtectedWebApi
Remove the AsyncUsageAnalyzers Improves the build.bat and buildAllSln.proj to add more target (restore and clean)
|
@MarkZuber @TiagoBrenck |
jmprieur
changed the title
Purpose
Preparing Microsoft.Identity.Web for being disributed as a NuGet package
Does this introduce a breaking change?
Pull Request Type
What kind of change does this Pull Request introduce?
Code clean-up.
How to Test
What to Check
Verify that the following are valid
Other Information