Onboarding process for multi-tenant

Author: Tiago Brenck

1-WebApp-OIDC/1-2-AnyOrg/Controllers/HomeController.cs

@@ -1,18 +1,40 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using System.Diagnostics;
+using System.Linq;
+using WebApp_OpenIDConnect_DotNet.DAL;
 using WebApp_OpenIDConnect_DotNet.Models;
 
 namespace WebApp_OpenIDConnect_DotNet.Controllers
 {
     [Authorize]
     public class HomeController : Controller
     {
-        public HomeController()
+        private readonly SampleDbContext dbContext;
+
+        public HomeController(SampleDbContext dbContext)
         {
+            this.dbContext = dbContext;
         }
 
         public IActionResult Index()
+        {
+            var authorizedTenants = dbContext.AuthorizedTenants.Where(x => x.TenantId != null && x.AuthorizedOn != null).ToList();
+            return View(authorizedTenants);
+        }
+
+        public IActionResult DeleteTenant(string id)
+        {
+            var tenants = dbContext.AuthorizedTenants.Where(x => x.TenantId == id).ToList();
+            dbContext.RemoveRange(tenants);
+            dbContext.SaveChanges();
+
+            return RedirectToAction("Index");
+        }
+
+        [AllowAnonymous]
+        [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
+        public IActionResult UnauthorizedTenant()
         {
             return View();
         }
@@ -21,7 +43,7 @@ public IActionResult Index()
         [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
         public IActionResult Error()
         {
-            return View(new ErrorViewModel {RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier});
+            return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
         }
     }
 }

1-WebApp-OIDC/1-2-AnyOrg/Controllers/OnboardingController.cs

@@ -0,0 +1,102 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication.AzureAD.UI;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http.Extensions;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Options;
+using WebApp_OpenIDConnect_DotNet.DAL;
+using WebApp_OpenIDConnect_DotNet.Models;
+
+namespace WebApp_OpenIDConnect_DotNet.Controllers
+{
+    [AllowAnonymous]
+    public class OnboardingController : Controller
+    {
+        private readonly SampleDbContext dbContext;
+        private readonly AzureADOptions azureADOptions;
+
+        public OnboardingController(SampleDbContext dbContext, IOptions<AzureADOptions> azureADOptions)
+        {
+            this.dbContext = dbContext;
+            this.azureADOptions = azureADOptions.Value;
+        }
+
+        [HttpGet]
+        public ActionResult SignUp()
+        {
+            return View();
+        }
+
+        [HttpPost]
+        [ValidateAntiForgeryToken]
+        public ActionResult Onboard()
+        {
+            // Generate a random value to identify the request
+            string stateMarker = Guid.NewGuid().ToString();
+
+            AuthorizedTenant authorizedTenant = new AuthorizedTenant
+            {
+                CreatedOn = DateTime.Now,
+                TempAuthorizationCode = stateMarker //Use the stateMarker as a tempCode, so we can find this entity on the ProcessCode method
+            };
+
+            dbContext.AuthorizedTenants.Add(authorizedTenant);
+            dbContext.SaveChanges();
+
+            string currentUri = UriHelper.BuildAbsolute(
+                this.Request.Scheme,
+                this.Request.Host,
+                this.Request.PathBase);
+
+            // Create an OAuth2 request, using the web app as the client.This will trigger a consent flow that will provision the app in the target tenant.
+            string authorizationRequest = string.Format(
+                "{0}common/adminconsent?client_id={1}&redirect_uri={2}&state={3}",
+                azureADOptions.Instance,
+                Uri.EscapeDataString(azureADOptions.ClientId),
+                Uri.EscapeDataString(currentUri + "Onboarding/ProcessCode"),
+                Uri.EscapeDataString(stateMarker));
+
+
+            return new RedirectResult(authorizationRequest);
+        }
+
+        // This is the redirect Uri for the admin consent authorization
+        public async Task<ActionResult> ProcessCode(string tenant, string error, string error_description, string resource, string state)
+        {
+            if (error != null)
+            {
+                TempData["ErrorMessage"] = error_description;
+                return RedirectToAction("Error", "Home");
+            }
+
+            // Check if tenant is already authorized
+            if(dbContext.AuthorizedTenants.FirstOrDefault(x => x.TenantId == tenant) != null)
+            {
+                return RedirectToAction("Index", "Home");
+            }
+
+            // Find a tenant carrying a TempAuthorizationCode that we previously saved
+            var preAuthorizedTenant = dbContext.AuthorizedTenants.FirstOrDefault(a => a.TempAuthorizationCode == state);
+
+            // If we don't find it, return an error because the state param was not generated from this app
+            if (preAuthorizedTenant == null)
+            {
+                TempData["ErrorMessage"] = "State verification failed.";
+                return RedirectToAction("Error", "Home");
+            }
+            else
+            {
+                // Update the authorized tenant with its Id
+                preAuthorizedTenant.TenantId = tenant;
+                preAuthorizedTenant.AuthorizedOn = DateTime.Now;
+
+                await dbContext.SaveChangesAsync();
+
+                return RedirectToAction("Index", "Home");
+            }
+        }
+    }
+}

1-WebApp-OIDC/1-2-AnyOrg/DAL/SampleDbContext.cs

@@ -0,0 +1,16 @@
+using Microsoft.EntityFrameworkCore;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using WebApp_OpenIDConnect_DotNet.Models;
+
+namespace WebApp_OpenIDConnect_DotNet.DAL
+{
+    public class SampleDbContext : DbContext
+    {
+        public SampleDbContext(DbContextOptions<SampleDbContext> options) : base(options) { }
+
+        public DbSet<AuthorizedTenant> AuthorizedTenants { get; set; }
+    }
+}

1-WebApp-OIDC/1-2-AnyOrg/Models/AuthorizedTenant.cs

@@ -0,0 +1,20 @@
+using System;
+using System.Collections.Generic;
+using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations.Schema;
+using System.Linq;
+using System.Threading.Tasks;
+
+namespace WebApp_OpenIDConnect_DotNet.Models
+{
+    public class AuthorizedTenant
+    {
+        [Key]
+        [DatabaseGenerated(DatabaseGeneratedOption.Identity)]
+        public int Id { get; set; }
+        public string TempAuthorizationCode { get; set; }
+        public string TenantId { get; set; }
+        public DateTime CreatedOn { get; set; }
+        public DateTime? AuthorizedOn { get; set; }
+    }
+}

1-WebApp-OIDC/1-2-AnyOrg/Startup.cs

@@ -1,13 +1,24 @@
 using Microsoft.AspNetCore.Authentication.AzureAD.UI;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Authorization;
+using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Identity.Web;
+using Microsoft.Identity.Web.Resource;
+using Microsoft.IdentityModel.Logging;
+using Microsoft.IdentityModel.Tokens;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using WebApp_OpenIDConnect_DotNet.DAL;
+using WebApp_OpenIDConnect_DotNet.Utils;
 
 namespace WebApp_OpenIDConnect_DotNet
 {
@@ -30,8 +41,42 @@ public void ConfigureServices(IServiceCollection services)
                 options.MinimumSameSitePolicy = SameSiteMode.None;
             });
 
+            services.AddOptions();
+
+            services.AddDbContext<SampleDbContext>(options => options.UseInMemoryDatabase(databaseName: "MultiTenantOnboarding"));
+
             // Sign-in users with the Microsoft identity platform
             services.AddMicrosoftIdentityPlatformAuthentication(Configuration);
+            
+            services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
+            {
+                //options.TokenValidationParameters = BuildTokenValidationParameters(options);
+                options.Events.OnTokenValidated = async context => 
+                {
+                    string tenantId = context.SecurityToken.Claims.FirstOrDefault(x => x.Type == "tid" || x.Type == "http://schemas.microsoft.com/identity/claims/tenantid")?.Value;
+
+                    if (string.IsNullOrWhiteSpace(tenantId))
+                        throw new UnauthorizedAccessException("Unable to get tenantId from token.");
+
+                    var dbContext = context.HttpContext.RequestServices.GetRequiredService<SampleDbContext>();
+
+                    var authorizedTenant = await dbContext.AuthorizedTenants.FirstOrDefaultAsync(t => t.TenantId == tenantId);
+
+                    if (authorizedTenant == null)
+                        throw new UnauthorizedTenantException("This tenant is not authorized");
+
+                };
+                options.Events.OnAuthenticationFailed = (context) =>
+                {
+                    if (context.Exception != null && context.Exception is UnauthorizedTenantException)
+                    {
+                        context.Response.Redirect("/Home/UnauthorizedTenant");
+                        context.HandleResponse(); // Suppress the exception
+                    }
+
+                    return Task.FromResult(0);
+                };
+            });
 
             services.AddMvc(options =>
             {

1-WebApp-OIDC/1-2-AnyOrg/Utils/UnauthorizedTenantException.cs

@@ -0,0 +1,13 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+namespace WebApp_OpenIDConnect_DotNet.Utils
+{
+    public class UnauthorizedTenantException : UnauthorizedAccessException
+    {
+        public UnauthorizedTenantException():base() { }
+        public UnauthorizedTenantException(string message):base(message) { }
+    }
+}

1-WebApp-OIDC/1-2-AnyOrg/Views/Home/Index.cshtml

@@ -1,11 +1,36 @@
-@{
+@model IEnumerable<AuthorizedTenant>
+@{
     ViewData["Title"] = "Home Page";
 }
 
 <h1>
     ASP.NET Core web app signing-in users in any Azure AD organization
 </h1>
 <p>
-    This sample shows how to build a .NET Core 2.2 MVC Web app that uses OpenID Connect to sign in users. Users can use work and school accounts from any company or organization that has integrated with Azure Active Directory. It leverages the ASP.NET Core OpenID Connect middleware.
+    This sample shows how to build a .NET Core MVC Web app that uses OpenID Connect to sign in users. Users can use work and school accounts from any company or organization that has integrated with Azure Active Directory. It leverages the ASP.NET Core OpenID Connect middleware.
 </p>
-<img src="https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/raw/master/1-WebApp-OIDC/1-2-AnyOrg/ReadmeFiles/sign-in.png"/>
+<img src="https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/raw/master/1-WebApp-OIDC/1-2-AnyOrg/ReadmeFiles/sign-in.png"/>
+<hr />
+
+<h2>Authorized Tenants</h2>
+<p>
+    These are the authorized tenants. If you want to repeat the onboarding process, deleted the desired tenants and <b>sign-out.</b>
+</p>
+
+<table class="table">
+    <thead>
+        <tr>
+            <th>Tenant Id</th>
+            <th></th>
+        </tr>
+    </thead>
+    <tbody>
+    @foreach (var tenant in Model)
+    {
+        <tr>
+            <td>@tenant.TenantId</td>
+            <td><a asp-controller="Home" asp-action="DeleteTenant" asp-route-id=@tenant.TenantId class="btn btn-danger">Delete</a></td>
+        </tr>
+    }
+    </tbody>
+</table>

1-WebApp-OIDC/1-2-AnyOrg/Views/Home/UnauthorizedTenant.cshtml

@@ -0,0 +1,10 @@
+
+@{
+    ViewData["Title"] = "UnauthorizedTenant";
+}
+
+<h2>Unauthorized Tenant</h2>
+<p>You have signed-in with a user from a Tenant that haven't been authorized by this application yet.</p>
+<p>The authorization can be done via the onboarding proccess.</p>
+<a class="btn btn-info" asp-controller="Onboarding" asp-action="SignUp">Take me to the onboarding process</a>
+

1-WebApp-OIDC/1-2-AnyOrg/Views/Onboarding/SignUp.cshtml

@@ -0,0 +1,22 @@
+
+@{
+    ViewData["Title"] = "SignUp";
+}
+
+<h2>Tenant Onboarding</h2>
+<div class="panel panel-info">
+    <div class="panel-heading"><h4>Instructions</h4></div>
+    <div class="panel-body">
+        <p>In this multi-tenant sample, only tenants that are registered on the database will have their tokens validated.</p>
+        <p>This step represents an onboarding process, where we will provide this application's service principle into the new client tenant, using the admin consent endpoint. Then, we save the tenantId on the database to accept tokens issued by them.</p>
+        <p>Click on the button below to prompt the admin consent screen and register your tenant. You must use an <b>admin account</b> on this step.</p>
+        <form asp-controller="Onboarding" asp-action="Onboard" method="post" class="form-horizontal" role="form">
+            @Html.AntiForgeryToken()
+            <div>
+                <button type="submit" class="btn btn-info">Register my tenant</button>
+            </div>
+        </form>
+    </div>
+</div>
+
+

1-WebApp-OIDC/1-2-AnyOrg/Views/Shared/Error.cshtml

@@ -13,10 +13,8 @@
     </p>
 }
 
-<h3>Development Mode</h3>
-<p>
-    Swapping to <strong>Development</strong> environment will display more detailed information about the error that occurred.
-</p>
-<p>
-    <strong>Development environment should not be enabled in deployed applications</strong>, as it can result in sensitive information from exceptions being displayed to end users. For local debugging, development environment can be enabled by setting the <strong>ASPNETCORE_ENVIRONMENT</strong> environment variable to <strong>Development</strong>, and restarting the application.
-</p>
+@if (TempData["ErrorMessage"] != null)
+{
+    <p class="text-danger">@TempData["ErrorMessage"]</p>
+}
+