sync reusable lib in asp.net core web app and web api tutorials

Author: jmprieur

Microsoft.Identity.Web/Client/TokenAcquisition.cs

@@ -128,7 +128,7 @@ public async Task AddAccountToCacheFromAuthorizationCode(AuthorizationCodeReceiv
                 // even if it's not done yet, so that it does not concurrently call the Token endpoint.
                 context.HandleCodeRedemption();
 
-                var application = BuildConfidentialClientApplication(context.HttpContext, context.Principal);
+                var application = GetOrBuildConfidentialClientApplication(context.HttpContext, context.Principal);
 
                 // Do not share the access token with ASP.NET Core otherwise ASP.NET will cache it and will not send the OAuth 2.0 request in
                 // case a further call to AcquireTokenByAuthorizationCodeAsync in the future for incremental consent (getting a code requesting more scopes)
@@ -164,7 +164,7 @@ public async Task<string> GetAccessTokenOnBehalfOfUser(HttpContext context, IEnu
                 throw new ArgumentNullException(nameof(scopes));
 
             // Use MSAL to get the right token to call the API
-            var application = BuildConfidentialClientApplication(context, context.User);
+            var application = GetOrBuildConfidentialClientApplication(context, context.User);
 
             // Case of a lazy OBO
             Claim jwtClaim = context.User.FindFirst("jwt");
@@ -262,7 +262,7 @@ public void AddAccountToCacheFromJwt(AspNetCore.Authentication.OpenIdConnect.Tok
         public async Task RemoveAccount(RedirectContext context)
         {
             ClaimsPrincipal user = context.HttpContext.User;
-            IConfidentialClientApplication app = BuildConfidentialClientApplication(context.HttpContext, user);
+            IConfidentialClientApplication app = GetOrBuildConfidentialClientApplication(context.HttpContext, user);
             IAccount account = await app.GetAccountAsync(context.HttpContext.User.GetMsalAccountId());
 
             // Workaround for the guest account
@@ -280,6 +280,23 @@ public async Task RemoveAccount(RedirectContext context)
             }
         }
 
+        IConfidentialClientApplication application;
+
+        /// <summary>
+        /// Creates an MSAL Confidential client application if needed
+        /// </summary>
+        /// <param name="httpContext"></param>
+        /// <param name="claimsPrincipal"></param>
+        /// <returns></returns>
+        private IConfidentialClientApplication GetOrBuildConfidentialClientApplication(HttpContext httpContext, ClaimsPrincipal claimsPrincipal)
+        {
+            if (application == null)
+            {
+                application = BuildConfidentialClientApplication(httpContext, claimsPrincipal);
+            }
+            return application;
+        }
+
         /// <summary>
         /// Creates an MSAL Confidential client application
         /// </summary>
@@ -376,7 +393,8 @@ private void AddAccountToCacheFromJwt(IEnumerable<string> scopes, JwtSecurityTok
                 IEnumerable<string> requestedScopes;
                 if (jwtToken != null)
                 {
-                    userAssertion = new UserAssertion(jwtToken.RawData, "urn:ietf:params:oauth:grant-type:jwt-bearer");
+                    string rawData = (jwtToken.InnerToken != null) ? jwtToken.InnerToken.RawData : jwtToken.RawData;
+                    userAssertion = new UserAssertion(rawData, "urn:ietf:params:oauth:grant-type:jwt-bearer");
                     requestedScopes = scopes ?? jwtToken.Audiences.Select(a => $"{a}/.default");
                 }
                 else
@@ -385,7 +403,7 @@ private void AddAccountToCacheFromJwt(IEnumerable<string> scopes, JwtSecurityTok
                     // TODO: Understand if we could support other kind of client assertions (SAML);
                 }
 
-                var application = BuildConfidentialClientApplication(httpContext, principal);
+                var application = GetOrBuildConfidentialClientApplication(httpContext, principal);
 
                 // .Result to make sure that the cache is filled-in before the controller tries to get access tokens
                 var result = application.AcquireTokenOnBehalfOf(requestedScopes.Except(scopesRequestedByMsalNet), userAssertion)

Microsoft.Identity.Web/Client/TokenCacheProviders/InMemory/MSALPerUserMemoryTokenCacheProvider.cs

@@ -56,7 +56,7 @@ public MSALPerUserMemoryTokenCacheProvider(IMemoryCache cache, MSALMemoryTokenCa
             this.memoryCache = cache;
             this.httpContextAccessor = httpContextAccessor;
 
-            if (option != null)
+            if (option == null)
             {
                 this.CacheOptions = new MSALMemoryTokenCacheOptions();
             }

Microsoft.Identity.Web/Resource/ScopesRequiredByWebAPIExtension.cs

@@ -0,0 +1,38 @@
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net;
+using System.Net.Http;
+using System.Security.Claims;
+using System.Text;
+
+namespace Microsoft.Identity.Web.Resource
+{
+    public static class ScopesRequiredByWebAPIExtension
+    {
+        /// <summary>
+        /// When applied to an <see cref="HttpContext"/>, verifies that the user authenticated in the Web API has any of the
+        /// accepted scopes. If the authentication user does not have any of these <paramref name="acceptedScopes"/>, the
+        /// method throws an HTTP Unauthorized with the message telling which scopes are expected in the token
+        /// </summary>
+        /// <param name="acceptedScopes">Scopes accepted by this API</param>
+        /// <exception cref="HttpRequestException"/> with a <see cref="HttpResponse.StatusCode"/> set to 
+        /// <see cref="HttpStatusCode.Unauthorized"/>
+        public static void VerifyUserHasAnyAcceptedScope(this HttpContext context, params string[] acceptedScopes)
+        {
+            if (acceptedScopes == null)
+            {
+                throw new ArgumentNullException(nameof(acceptedScopes));
+            }
+            Claim scopeClaim = context?.User?.FindFirst("http://schemas.microsoft.com/identity/claims/scope");
+            if (scopeClaim == null || !scopeClaim.Value.Split(' ').Intersect(acceptedScopes).Any())
+            {
+                context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
+                string message = $"The 'scope' claim does not contain scopes '{string.Join(",", acceptedScopes)}' or was not found";
+                throw new HttpRequestException(message);
+            }
+        }
+    }
+}

Microsoft.Identity.Web/WebApiStartupHelpers.cs

@@ -5,10 +5,12 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Identity.Web.Client;
 using Microsoft.Identity.Web.Resource;
+using Microsoft.IdentityModel.Tokens;
 using System.Collections.Generic;
 using System.IdentityModel.Tokens.Jwt;
 using System.Linq;
 using System.Security.Claims;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
 
 namespace Microsoft.Identity.Web
@@ -22,7 +24,7 @@ public static class WebApiStartupHelpers
         /// <param name="services">Service collection to which to add authentication</param>
         /// <param name="configuration">Configuration</param>
         /// <returns></returns>
-        public static IServiceCollection AddProtectWebApiWithMicrosoftIdentityPlatformV2(this IServiceCollection services, IConfiguration configuration)
+        public static IServiceCollection AddProtectWebApiWithMicrosoftIdentityPlatformV2(this IServiceCollection services, IConfiguration configuration, X509Certificate2 tokenDecryptionCertificate = null)
         {
             services.AddAuthentication(AzureADDefaults.JwtBearerAuthenticationScheme)
                     .AddAzureADBearer(options => configuration.Bind("AzureAd", options));
@@ -45,6 +47,12 @@ public static IServiceCollection AddProtectWebApiWithMicrosoftIdentityPlatformV2
                 // we inject our own multitenant validation logic (which even accepts both V1 and V2 tokens)
                 options.TokenValidationParameters.IssuerValidator = AadIssuerValidator.GetIssuerValidator(options.Authority).ValidateAadIssuer;
 
+                // If you provide a token decryption certificate, it will be used to decrypt the token
+                if (tokenDecryptionCertificate != null)
+                {
+                    options.TokenValidationParameters.TokenDecryptionKey = new X509SecurityKey(tokenDecryptionCertificate);
+                }
+
                 // When an access token for our own Web API is validated, we add it to MSAL.NET's cache so that it can
                 // be used from the controllers.
                 options.Events = new JwtBearerEvents();
@@ -66,14 +74,13 @@ public static IServiceCollection AddProtectWebApiWithMicrosoftIdentityPlatformV2
         /// will be kept with the user's claims until the API calls a downstream API. Otherwise the account for the 
         /// user is immediately added to the token cache</param>
         /// <returns></returns>
-        public static IServiceCollection AddProtectedApiCallsWebApis(this IServiceCollection services, IConfiguration configuration, IEnumerable<string> scopes=null)
+        public static IServiceCollection AddProtectedApiCallsWebApis(this IServiceCollection services, IConfiguration configuration, IEnumerable<string> scopes = null)
         {
             services.AddTokenAcquisition();
             services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
             {
                 // If you don't pre-provide scopes when adding calling AddProtectedApiCallsWebApis, the On behalf of
                 // flow will be delayed (lazy construction of MSAL's application
-
                 options.Events.OnTokenValidated = async context =>
                 {
                     if (scopes != null && scopes.Any())
@@ -87,7 +94,12 @@ public static IServiceCollection AddProtectedApiCallsWebApis(this IServiceCollec
                         context.Success();
 
                         // Todo : rather use options.SaveToken?
-                        (context.Principal.Identity as ClaimsIdentity).AddClaim(new Claim("jwt", (context.SecurityToken as JwtSecurityToken).RawData));
+                        JwtSecurityToken jwtSecurityToken = context.SecurityToken as JwtSecurityToken;
+                        if (jwtSecurityToken != null)
+                        {
+                            string rawData = (jwtSecurityToken.InnerToken != null) ? jwtSecurityToken.InnerToken.RawData : jwtSecurityToken.RawData;
+                            (context.Principal.Identity as ClaimsIdentity).AddClaim(new Claim("jwt", rawData));
+                        }
                     }
                     // Adds the token to the cache, and also handles the incremental consent and claim challenges
                     await Task.FromResult(0);