Tonnes of enhancements

Author: kalyankrishna1

5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/BulkCreateGroups.ps1

@@ -6,10 +6,11 @@
 
 $ErrorActionPreference = "Stop"
 
+ # ObjectId of the user to be assigned to these security groups. The ObjectId can be obtained via Graph Explorer or in the "Users" blade on the portal.
+$usersobjectId = "695a3e1d-2e9f-4d24-aa3c-ac795c16f25c"
+
 Get-AzureADUser -ObjectId $usersobjectId
 
- # ObjectId of the user to be assigned to these security groups. The ObjectId can be obtained via Graph Explorer or in the "Users" blade on the portal.
-$usersobjectId = "5b6e08a5-7789-4ae0-a4cb-3d73b4097752"
 $groupNamePrefix = "TestGroup"
 $numberOfGroupsToCreate = 222;
 

5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/BulkRemoveGroups.ps1

@@ -10,7 +10,12 @@ $numberOfGroupsToDelete = 222;
 for($i = 1; $i -le $numberOfGroupsToDelete; $i++)
 {
   $groupName = $groupNamePrefix + $i
-  $group = Get-AzureADGroup -SearchString $groupName
-  Remove-AzureADGroup -ObjectId $group.ObjectId
-  Write-Host "Successfully deleted $($group.DisplayName)"
+  $groups = Get-AzureADGroup -SearchString $groupName
+
+  Foreach ($group in $groups)
+  {
+    Write-Host "Trying to delete group $($group.DisplayName)"
+    Remove-AzureADGroup -ObjectId $group.ObjectId
+    Write-Host "Successfully deleted $($group.DisplayName)"
+  } 
 }

5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/Configure.ps1

@@ -102,6 +102,42 @@ Function GetRequiredPermissions([string] $applicationDisplayName, [string] $requ
 }
 
 
+Function UpdateLine([string] $line, [string] $value)
+{
+    $index = $line.IndexOf('=')
+    $delimiter = ';'
+    if ($index -eq -1)
+    {
+        $index = $line.IndexOf(':')
+        $delimiter = ','
+    }
+    if ($index -ige 0)
+    {
+        $line = $line.Substring(0, $index+1) + " "+'"'+$value+'"'+$delimiter
+    }
+    return $line
+}
+
+Function UpdateTextFile([string] $configFilePath, [System.Collections.HashTable] $dictionary)
+{
+    $lines = Get-Content $configFilePath
+    $index = 0
+    while($index -lt $lines.Length)
+    {
+        $line = $lines[$index]
+        foreach($key in $dictionary.Keys)
+        {
+            if ($line.Contains($key))
+            {
+                $lines[$index] = UpdateLine $line $dictionary[$key]
+            }
+        }
+        $index++
+    }
+
+    Set-Content -Path $configFilePath -Value $lines -Force
+}
+
 Set-Content -Value "<html><body><table>" -Path createdApps.html
 Add-Content -Value "<thead><tr><th>Application</th><th>AppId</th><th>Url in the Azure portal</th></tr></thead><tbody>" -Path createdApps.html
 
@@ -207,8 +243,10 @@ Function ConfigureApplications
 
    # Update config file for 'webApp'
    $configFile = $pwd.Path + "\..\appsettings.json"
+
    Write-Host "Updating the sample code ($configFile)"
-  
+   $dictionary = @{ "ClientId" = $webAppAadApplication.AppId;"TenantId" = $tenantId;"Domain" = $tenantName;"ClientSecret" = $webAppAppKey };
+   UpdateTextFile -configFilePath $configFile -dictionary $dictionary
    Write-Host ""
    Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
    Write-Host "IMPORTANT: Please follow the instructions below to complete a few manual step(s) in the Azure portal":

5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/sample.json

@@ -45,7 +45,7 @@
   "CodeConfiguration": [
     {
       "App": "webApp",
-      "SettingKind": "JSon",
+      "SettingKind": "JSON",
       "SettingFile": "\\..\\appsettings.json",
       "Mappings": [
         {

5-WebApp-AuthZ/5-2-Groups/Controllers/HomeController.cs

@@ -1,8 +1,12 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using System.Collections.Generic;
 using System.Diagnostics;
 using System.Security.Claims;
 using WebApp_OpenIDConnect_DotNet.Models;
+using WebApp_OpenIDConnect_DotNet.Infrastructure;
+using System.Linq;
+using Microsoft.AspNetCore.Http;
 
 namespace WebApp_OpenIDConnect_DotNet.Controllers
 {
@@ -16,14 +20,20 @@ public HomeController()
         public IActionResult Index()
         {
             ViewData["User"] = HttpContext.User;
+
+            // If groups overage occurred..
+            if (HttpContext.Session.Keys.Contains("groupClaims"))
+            {
+                ViewData.Add("groupClaims", HttpContext.Session.GetAsByteArray("groupClaims") as List<string>);
+            }
             return View();
         }
 
         [AllowAnonymous]
         [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
         public IActionResult Error()
         {
-            return View(new ErrorViewModel {RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier});
+            return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
         }
     }
 }

5-WebApp-AuthZ/5-2-Groups/Infrastructure/SessionExtensions.cs

@@ -0,0 +1,37 @@
+using Microsoft.AspNetCore.Http;
+using Newtonsoft.Json;
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Runtime.Serialization.Formatters.Binary;
+using System.Text.Json;
+using System.Threading.Tasks;
+
+namespace WebApp_OpenIDConnect_DotNet.Infrastructure
+{
+    public static class SessionExtensions
+    {
+        public static void SetAsByteArray(this ISession session, string key, object toSerialize)
+        {
+            var binaryFormatter = new BinaryFormatter();
+            var memoryStream = new MemoryStream();
+            binaryFormatter.Serialize(memoryStream, toSerialize);
+
+            session.Set(key, memoryStream.ToArray());
+        }
+
+        public static object GetAsByteArray(this ISession session, string key)
+        {
+            var memoryStream = new MemoryStream();
+            var binaryFormatter = new BinaryFormatter();
+
+            var objectBytes = session.Get(key) as byte[];
+            memoryStream.Write(objectBytes, 0, objectBytes.Length);
+            memoryStream.Position = 0;
+
+            return binaryFormatter.Deserialize(memoryStream);
+
+        }
+    }
+}

5-WebApp-AuthZ/5-2-Groups/README.md

@@ -135,6 +135,10 @@ As a first step you'll need to:
    - In the *Commonly used Microsoft APIs* section, click on **Microsoft Graph**
    - In the **Delegated permissions** section, select the **GroupMember.Read.All** in the list. Use the search box if necessary.
    - Click on the **Add permissions** button at the bottom.
+1. At this stage permissions are assigned correctly and the **GroupMember.Read.All** requires admin to consent.
+   Click the **Grant/revoke admin consent for {tenant}** button, and then select **Yes** when you are asked if you want to grant consent for the
+   requested permissions for all account in the tenant.
+   You need to be an Azure AD tenant admin to do this.
 
 #### Configure your application to receive the **groups** claim
 

5-WebApp-AuthZ/5-2-Groups/Services/MicrosoftGraph-Rest/GraphHelper.cs

@@ -7,18 +7,21 @@
 using System.Linq;
 using System.Security.Claims;
 using System.Threading.Tasks;
+using WebApp_OpenIDConnect_DotNet.Infrastructure;
 
-namespace WebApp_OpenIDConnect_DotNet.Services.GroupProcessing
+namespace WebApp_OpenIDConnect_DotNet.Services
 {
     public class GraphHelper
     {
         /// <summary>
-        /// This method inspects the claims collection created from the ID or Access token and detects groups overage. If Groups overage is detected, the method then makes calls to
-        /// Microsoft Graph to fetch the group membership of the authenticated user.
+        /// This method inspects the claims collection created from the ID or Access token issued to a user and returns the groups that are present in the token . If it detects groups overage,
+        /// the method then makes calls to Microsoft Graph to fetch the group membership of the authenticated user.
         /// </summary>
         /// <param name="context">TokenValidatedContext</param>
-        public static async Task ProcessClaimsForGroupsOverage(TokenValidatedContext context)
+        public static async Task<List<string>> GetSignedInUsersGroups(TokenValidatedContext context)
         {
+            List<string> groupClaims = new List<string>();
+
             try
             {
                 // Checks if the incoming token contained a 'Group Overage' claim.
@@ -36,7 +39,7 @@ public static async Task ProcessClaimsForGroupsOverage(TokenValidatedContext con
                     // For the Web App, SecurityToken contains value of the ID Token.
                     else if (context.SecurityToken != null)
                     {
-                        // Checks if 'JwtSecurityTokenUsedToCallWebAPI' key already exists. 
+                        // Checks if 'JwtSecurityTokenUsedToCallWebAPI' key already exists.
                         // This key is required to acquire Access Token for Graph Service Client.
                         if (!context.HttpContext.Items.ContainsKey("JwtSecurityTokenUsedToCallWebAPI"))
                         {
@@ -48,18 +51,19 @@ public static async Task ProcessClaimsForGroupsOverage(TokenValidatedContext con
 
                         // The properties that we want to retrieve from MemberOf endpoint.
                         string select = "id,displayName,onPremisesNetBiosName,onPremisesDomainName,onPremisesSamAccountNameonPremisesSecurityIdentifier";
-                       
+
                         IUserMemberOfCollectionWithReferencesPage memberPage = new UserMemberOfCollectionWithReferencesPage();
                         try
                         {
                             //Request to get groups and directory roles that the user is a direct member of.
                             memberPage = await graphClient.Me.MemberOf.Request().Select(select).GetAsync().ConfigureAwait(false);
                         }
-                        catch(Exception graphEx)
+                        catch (Exception graphEx)
                         {
                             var exMsg = graphEx.InnerException != null ? graphEx.InnerException.Message : graphEx.Message;
-                            Console.WriteLine("Call to Microsoft Graph failed: "+ exMsg);
+                            Console.WriteLine("Call to Microsoft Graph failed: " + exMsg);
                         }
+
                         if (memberPage?.Count > 0)
                         {
                             // There is a limit to number of groups returned, below method make calls to Microsoft graph to get all the groups.
@@ -72,9 +76,7 @@ public static async Task ProcessClaimsForGroupsOverage(TokenValidatedContext con
                                 if (identity != null)
                                 {
                                     // Remove any existing groups claim
-                                    RemoveExistingClaim(identity);
-
-                                    List<Claim> groupClaims = new List<Claim>();
+                                    RemoveExistingClaims(identity);
 
                                     // Re-populate the `groups` claim with the complete list of groups fetched from MS Graph
                                     foreach (Group group in allgroups)
@@ -83,8 +85,8 @@ public static async Task ProcessClaimsForGroupsOverage(TokenValidatedContext con
                                         // the app registration, you might want to add other attributes than id to the `groups` claim, examples being;
 
                                         // For instance if the required format is 'NetBIOSDomain\sAMAccountName' then the code is as commented below:
-                                        // groupClaims.AddClaim(new Claim("groups", group.OnPremisesNetBiosName+"\\"+group.OnPremisesSamAccountName));
-                                        groupClaims.Add(new Claim("groups", group.Id));
+                                        // groupClaims.Add(group.OnPremisesNetBiosName+"\\"+group.OnPremisesSamAccountName));
+                                        groupClaims.Add(group.Id);
                                     }
                                 }
                             }
@@ -103,10 +105,15 @@ public static async Task ProcessClaimsForGroupsOverage(TokenValidatedContext con
                 {
                     // Removes 'JwtSecurityTokenUsedToCallWebAPI' from Items collection.
                     // If not removed then it can cause failure to the application.
-                    // Because this key is also added by StoreTokenUsedToCallWebAPI method of Microsoft.Identity.Web. 
+                    // Because this key is also added by StoreTokenUsedToCallWebAPI method of Microsoft.Identity.Web.
                     context.HttpContext.Items.Remove("JwtSecurityTokenUsedToCallWebAPI");
                 }
             }
+
+            // Here we add the groups in a session variable to print on the home page for informational purposes
+            context.HttpContext.Session.SetAsByteArray("groupClaims", groupClaims);
+
+            return groupClaims;
         }
 
         /// <summary>

5-WebApp-AuthZ/5-2-Groups/Startup.cs

@@ -8,10 +8,10 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Identity.Web;
-using Microsoft.Identity.Web.TokenCacheProviders.InMemory;
 using Microsoft.Identity.Web.UI;
+using System;
 using WebApp_OpenIDConnect_DotNet.Infrastructure;
-using WebApp_OpenIDConnect_DotNet.Services.GroupProcessing;
+using WebApp_OpenIDConnect_DotNet.Services;
 
 namespace WebApp_OpenIDConnect_DotNet
 {
@@ -33,7 +33,7 @@ public void ConfigureServices(IServiceCollection services)
                 // This lambda determines whether user consent for non-essential cookies is needed for a given request.
                 options.CheckConsentNeeded = context => true;
                 options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
-                // Handling SameSite cookie according to https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
+                // Handling SameSite cookie according to https://docs.microsoft.com/en-us/aspnet/core/security/samesite
                 options.HandleSameSiteCookieCompatibility();
             });
 
@@ -47,7 +47,7 @@ public void ConfigureServices(IServiceCollection services)
                     options.Events.OnTokenValidated = async context =>
                     {
                         //Calls method to process groups overage claim.
-                        await GraphHelper.ProcessClaimsForGroupsOverage(context);
+                        await GraphHelper.GetSignedInUsersGroups(context);
                     };
                 }, options => { Configuration.Bind("AzureAd", options); })
                     .EnableTokenAcquisitionToCallDownstreamApi(options => Configuration.Bind("AzureAd", options), initialScopes)
@@ -62,6 +62,14 @@ public void ConfigureServices(IServiceCollection services)
                 // options.TokenValidationParameters.RoleClaimType = "groups";
             });
 
+            services.AddDistributedMemoryCache();
+            services.AddSession(options =>
+            {
+                options.IdleTimeout = TimeSpan.FromMinutes(1);
+                options.Cookie.HttpOnly = true;
+                options.Cookie.IsEssential = true;
+            });
+
             services.AddControllersWithViews(options =>
             {
                 var policy = new AuthorizationPolicyBuilder()
@@ -88,12 +96,13 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
 
             app.UseHttpsRedirection();
             app.UseStaticFiles();
-            app.UseCookiePolicy();
 
             app.UseRouting();
+            app.UseSession();
             app.UseAuthentication();
             app.UseAuthorization();
 
+
             app.UseEndpoints(endpoints =>
             {
                 endpoints.MapControllerRoute(

5-WebApp-AuthZ/5-2-Groups/Views/Home/Index.cshtml

@@ -26,20 +26,44 @@
 
     @foreach (var claim in user.Claims)
     {
-<tr>
-    @{
-        if (claim.Type == "groups")
-        {
-            <td><b>@claim.Type</b></td>
-        }
-        else
-        {
-            <td>@claim.Type</td>
-        }
+        <tr>
+            @{
+                if (claim.Type == "groups")
+                {
+                    <td><b>@claim.Type</b></td>
+                }
+                else
+                {
+                    <td>@claim.Type</td>
+                }
+            }
+
+            <td>@claim.Value</td>
+        </tr>
+    }
+
+</table>
+
+@{
+    List<string> groupClaims = new List<string>();
+
+    if (ViewData.ContainsKey("groupClaims"))
+    {
+        groupClaims = ViewData["groupClaims"] as List<string>;
     }
 
-    <td>@claim.Value</td>
-</tr>
+}
+
+<table class="table table-striped table-bordered table-condensed table-hover">
+    <tr>
+        <td colspan="2">If groups overage occured, the groups fetched from Graph will be listed below</td>
+        </tr>
+
+    @foreach (var group in groupClaims)
+    {
+        <tr>
+            <td colspan="2">@group</td>
+        </tr>
     }
 
 </table>