Changes to use Session data for Authorization

Shama-K · Shama-K · commit 1c4b6a2d83ae · 2020-09-10T17:24:28.000-07:00
diff --git a/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/Configure.ps1 b/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/Configure.ps1
@@ -253,6 +253,8 @@ Function ConfigureApplications
    Write-Host "- For 'webApp'"
    Write-Host "  - Navigate to '$webAppPortalUrl'"
    Write-Host "  - Navigate to the API Permissions page and select 'Grant admin consent for (your tenant)'" -ForegroundColor Red 
+   Write-Host "  - On Azure Portal, create a security group named GroupAdmin, assign some users to it, and configure your ID and Access token to emit GroupID in your app registration. Configure the value for 'GroupAdmin' key in appsettings.json." -ForegroundColor Red 
+   Write-Host "  - On Azure Portal, create a security group named GroupMember, assign some users to it, and configure your ID and Access token to emit GroupID in your app registration. Configure the value for 'GroupMember' key in appsettings.json." -ForegroundColor Red 
 
    Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
      
diff --git a/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/sample.json b/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/sample.json
@@ -31,6 +31,12 @@
       "ManualSteps": [
         {
           "Comment": "Navigate to the API Permissions page and select 'Grant admin consent for (your tenant)'"
+        },
+        {
+          "Comment": "On Azure Portal, create a security group named GroupAdmin, assign some users to it, and configure your ID and Access token to emit GroupID in your app registration. Configure the value for 'GroupAdmin' key in appsettings.json."
+        },
+        {
+          "Comment": "On Azure Portal, create a security group named GroupMember, assign some users to it, and configure your ID and Access token to emit GroupID in your app registration. Configure the value for 'GroupMember' key in appsettings.json."
         }
       ]
     }
diff --git a/5-WebApp-AuthZ/5-2-Groups/Controllers/UserProfileController.cs b/5-WebApp-AuthZ/5-2-Groups/Controllers/UserProfileController.cs
@@ -1,4 +1,5 @@
-﻿using Microsoft.AspNetCore.Mvc;
+﻿using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
 using Microsoft.Graph;
 using Microsoft.Identity.Web;
 using System.Threading.Tasks;
@@ -16,7 +17,7 @@ public UserProfileController(GraphServiceClient graphServiceClient)
         {
             this.graphServiceClient= graphServiceClient;
         }
-
+        [Authorize(Policy = "GroupAdmin")]
         [AuthorizeForScopes(Scopes = new[] { Constants.ScopeUserRead })]        
         public async Task<IActionResult> Index()
         {
diff --git a/5-WebApp-AuthZ/5-2-Groups/Infrastructure/CustomAuthorization.cs b/5-WebApp-AuthZ/5-2-Groups/Infrastructure/CustomAuthorization.cs
@@ -0,0 +1,56 @@
+﻿using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc.Filters;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+namespace WebApp_OpenIDConnect_DotNet.Infrastructure
+{
+    public class GroupPolicyHandler : AuthorizationHandler<GroupPolicyRequirement>
+    {
+        private IHttpContextAccessor _httpContextAccessor;
+
+        public GroupPolicyHandler(IHttpContextAccessor httpContextAccessor)
+        {
+            _httpContextAccessor = httpContextAccessor;
+        }
+        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
+                                                   GroupPolicyRequirement requirement)
+        {
+            // Checks if groups claim exists in claims collection of signed-in User.
+            if (context.User.Claims.Any(x => x.Type == "groups"))
+            {
+                if (context.User.Claims.Any(x => x.Type == "groups" && x.Value == requirement.GroupName))
+                {
+                    context.Succeed(requirement);
+                }
+                return Task.CompletedTask;
+            }
+
+            // Checks if Session contains data for groupClaims.
+            // The data will exist for 'Group Overage' claim.
+            else if (_httpContextAccessor.HttpContext.Session.Keys.Contains("groupClaims"))
+            {
+                // Retrieves all the groups saved in Session.
+                var groups = _httpContextAccessor.HttpContext.Session.GetAsByteArray("groupClaims") as List<string>;
+                groups = null;
+
+                // Checks if required group exists in Session.
+                if (groups?.Count > 0 && groups.Contains(requirement.GroupName))
+                {
+                    context.Succeed(requirement);
+                }
+            }
+            return Task.CompletedTask;
+        }
+    }
+    public class GroupPolicyRequirement : IAuthorizationRequirement
+    {
+        public string GroupName { get; }
+        public GroupPolicyRequirement(string GroupName)
+        {
+            this.GroupName = GroupName;
+        }
+    }
+}
diff --git a/5-WebApp-AuthZ/5-2-Groups/Services/MicrosoftGraph-Rest/GraphHelper.cs b/5-WebApp-AuthZ/5-2-Groups/Services/MicrosoftGraph-Rest/GraphHelper.cs
@@ -85,6 +85,9 @@ public static async Task<List<string>> GetSignedInUsersGroups(TokenValidatedCont
                                         // groupClaims.Add(group.OnPremisesNetBiosName+"\\"+group.OnPremisesSamAccountName));
                                         groupClaims.Add(group.Id);
                                     }
+
+                                    // Here we add the groups in a session variable that is used in authorization policy handler.
+                                    context.HttpContext.Session.SetAsByteArray("groupClaims", groupClaims);
                                 }
                             }
                         }
@@ -107,9 +110,6 @@ public static async Task<List<string>> GetSignedInUsersGroups(TokenValidatedCont
                 }
             }
 
-            // Here we add the groups in a session variable to print on the home page for informational purposes
-            context.HttpContext.Session.SetAsByteArray("groupClaims", groupClaims);
-
             return groupClaims;
         }
 
diff --git a/5-WebApp-AuthZ/5-2-Groups/Startup.cs b/5-WebApp-AuthZ/5-2-Groups/Startup.cs
@@ -47,20 +47,26 @@ public void ConfigureServices(IServiceCollection services)
                     options.Events.OnTokenValidated = async context =>
                     {
                         //Calls method to process groups overage claim.
-                        await GraphHelper.GetSignedInUsersGroups(context);
+                        var groupClaims = await GraphHelper.GetSignedInUsersGroups(context);
+                    };
+                    options.Events.OnSignedOutCallbackRedirect = async context =>
+                    {
+                        context.HttpContext.Session.Clear();
                     };
                 }, options => { Configuration.Bind("AzureAd", options); })
                     .EnableTokenAcquisitionToCallDownstreamApi(options => Configuration.Bind("AzureAd", options), initialScopes)
                     .AddMicrosoftGraph(Configuration.GetSection("GraphAPI"))
                     .AddInMemoryTokenCaches();
 
-            services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
+            // Adding authorization policies that enforce authorization using group values.
+            services.AddAuthorization(options =>
             {
-                // The following code instructs the ASP.NET Core middleware to use the data in the "groups" claim in the [Authorize] attribute and for User.IsInRole()
-                // Uncomment the following if you wish to use groups for roles
-                // See https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles for more info.
-                // options.TokenValidationParameters.RoleClaimType = "groups";
+            options.AddPolicy("GroupAdmin",
+            policy => policy.Requirements.Add(new GroupPolicyRequirement(Configuration["Groups:GroupAdmin"])));
+                options.AddPolicy("GroupMember",
+              policy => policy.Requirements.Add(new GroupPolicyRequirement(Configuration["Groups:GroupMember"])));
             });
+            services.AddSingleton<IAuthorizationHandler, GroupPolicyHandler>();
 
             services.AddDistributedMemoryCache();
             services.AddSession(options =>
diff --git a/5-WebApp-AuthZ/5-2-Groups/appsettings.json b/5-WebApp-AuthZ/5-2-Groups/appsettings.json
@@ -14,6 +14,10 @@
     "BaseUrl": "https://graph.microsoft.com/v1.0",
     "Scopes": "User.Read GroupMember.Read.All"
   },
+  "Groups": {
+    "GroupAdmin": "Enter the objectID for GroupAdmin group copied from Azure Portal",
+    "GroupMember": "Enter the objectID for GroupMember group copied from Azure Portal"
+  },
   "Logging": {
     "LogLevel": {
         "Default": "Information",

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,12 @@`
`31`	`31`	`"ManualSteps": [`
`32`	`32`	`{`
`33`	`33`	`"Comment": "Navigate to the API Permissions page and select 'Grant admin consent for (your tenant)'"`
	`34`	`+ },`
	`35`	`+ {`
	`36`	`+ "Comment": "On Azure Portal, create a security group named GroupAdmin, assign some users to it, and configure your ID and Access token to emit GroupID in your app registration. Configure the value for 'GroupAdmin' key in appsettings.json."`
	`37`	`+ },`
	`38`	`+ {`
	`39`	`+ "Comment": "On Azure Portal, create a security group named GroupMember, assign some users to it, and configure your ID and Access token to emit GroupID in your app registration. Configure the value for 'GroupMember' key in appsettings.json."`
`34`	`40`	`}`
`35`	`41`	`]`
`36`	`42`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`		`-using Microsoft.AspNetCore.Mvc;`
	`1`	`+using Microsoft.AspNetCore.Authorization;`
	`2`	`+using Microsoft.AspNetCore.Mvc;`
`2`	`3`	`using Microsoft.Graph;`
`3`	`4`	`using Microsoft.Identity.Web;`
`4`	`5`	`using System.Threading.Tasks;`
`@@ -16,7 +17,7 @@ public UserProfileController(GraphServiceClient graphServiceClient)`
`16`	`17`	`{`
`17`	`18`	`this.graphServiceClient= graphServiceClient;`
`18`	`19`	`}`
`19`		`-`
	`20`	`+ [Authorize(Policy = "GroupAdmin")]`
`20`	`21`	`[AuthorizeForScopes(Scopes = new[] { Constants.ScopeUserRead })]`
`21`	`22`	`public async Task<IActionResult> Index()`
`22`	`23`	`{`
Original file line number	Diff line number	Diff line change
`@@ -85,6 +85,9 @@ public static async Task<List<string>> GetSignedInUsersGroups(TokenValidatedCont`
`85`	`85`	`// groupClaims.Add(group.OnPremisesNetBiosName+"\\"+group.OnPremisesSamAccountName));`
`86`	`86`	`groupClaims.Add(group.Id);`
`87`	`87`	`}`
	`88`	`+`
	`89`	`+ // Here we add the groups in a session variable that is used in authorization policy handler.`
	`90`	`+ context.HttpContext.Session.SetAsByteArray("groupClaims", groupClaims);`
`88`	`91`	`}`
`89`	`92`	`}`
`90`	`93`	`}`
`@@ -107,9 +110,6 @@ public static async Task<List<string>> GetSignedInUsersGroups(TokenValidatedCont`
`107`	`110`	`}`
`108`	`111`	`}`
`109`	`112`
`110`		`- // Here we add the groups in a session variable to print on the home page for informational purposes`
`111`		`- context.HttpContext.Session.SetAsByteArray("groupClaims", groupClaims);`
`112`		`-`
`113`	`113`	`return groupClaims;`
`114`	`114`	`}`
`115`	`115`