minor corrections

Author: derisen

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/ClientApp/src/components/Home.js

@@ -44,7 +44,7 @@ export class Home extends Component {
             </ul>
             <p>To help you get started, we have also set up:</p>
             <ul>
-              <li><strong>Client-side navigation</strong>. For example, click <em>Profile</em>, then <em>Back</em> to return here.</li>
+              <li><strong>Client-side navigation</strong>. For example, click <em>Profile</em> after sign-in, then <em>Back</em> to return here.</li>
               <li><strong>Development server integration</strong>. In development mode, the development server from <code>create-react-app</code> runs in the background automatically, so your client-side resources are dynamically built on demand and the page refreshes when you modify any file.</li>
               <li><strong>Efficient production builds</strong>. In production mode, development-time features are disabled, and your <code>dotnet publish</code> configuration produces minified, efficiently bundled JavaScript files.</li>
             </ul>

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/Controllers/AuthController.cs

@@ -25,7 +25,7 @@ public async Task<ActionResult> Logout()
         await HttpContext.SignOutAsync();
 
         List<string> optionList = new List<string> { 
-            CookieAuthenticationDefaults.AuthenticationScheme, 
+            CookieAuthenticationDefaults.AuthenticationScheme,
             OpenIdConnectDefaults.AuthenticationScheme 
         };
 

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/Controllers/ProfileController.cs

@@ -1,13 +1,14 @@
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Authentication.Cookies;
-using Microsoft.Identity.Web;
 using Microsoft.Identity.Client;
+using Microsoft.Identity.Web;
 using Microsoft.Graph;
 
 namespace TodoListBFF.Controllers;
 
-[Authorize]
+[Authorize(AuthenticationSchemes = CookieAuthenticationDefaults.AuthenticationScheme)]
+[AuthorizeForScopes(Scopes = new string[] { "user.read" })]
 [Route("api/[controller]")]
 [ApiController]
 public class ProfileController : Controller
@@ -31,13 +32,17 @@ public async Task<ActionResult<User>> GetProfile()
 
             return Ok(profile);
         }
+        catch (ServiceException svcex) when (svcex.Message.Contains("Continuous access evaluation"))
+        {
+            return Unauthorized("Continuous access evaluation challenge occurred\n" + svcex.Message);
+        }
         catch (MsalUiRequiredException ex)
         {
-            return Unauthorized(ex.Message);
+            return Unauthorized("MsalUiRequiredException occurred while calling the downstream API\n" + ex.Message);
         }
         catch (Exception ex)
         {
-            return BadRequest(ex.Message);
+            return BadRequest("An error occurred while calling the downstream API\n" + ex.Message);
         }
     }
 }

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/Program.cs

@@ -1,6 +1,7 @@
 using System.IdentityModel.Tokens.Jwt;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.Identity.Web;
+using Microsoft.Identity.Web.UI;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -22,6 +23,8 @@
     options.Cookie.HttpOnly = true;
     options.Cookie.IsEssential = true;
 
+    options.Events = new RejectSessionCookieWhenAccountNotInCacheEvents();
+
     //options.Events.OnRedirectToLogin = context =>
     //{
     //    context.Response.StatusCode = 401;
@@ -35,9 +38,8 @@
     //};
 });
 
-builder.Services.AddControllersWithViews();
-
-builder.Services.AddHttpClient();
+builder.Services.AddControllersWithViews()
+    .AddMicrosoftIdentityUI();
 
 var app = builder.Build();
 

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/Utils/RejectSessionCookieWhenAccountNotInCacheEvents.cs

@@ -0,0 +1,33 @@
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.Identity.Client;
+using Microsoft.Identity.Web;
+
+internal class RejectSessionCookieWhenAccountNotInCacheEvents : CookieAuthenticationEvents
+{
+    public async override Task ValidatePrincipal(CookieValidatePrincipalContext context)
+    {
+        try
+        {
+            var tokenAcquisition = context.HttpContext.RequestServices.GetRequiredService<ITokenAcquisition>();
+            string token = await tokenAcquisition.GetAccessTokenForUserAsync(
+                scopes: new[] { "user.read" },
+                user: context.Principal);
+        }
+        catch (MicrosoftIdentityWebChallengeUserException ex)
+           when (AccountDoesNotExitInTokenCache(ex))
+        {
+            context.RejectPrincipal();
+        }
+    }
+
+    /// <summary>
+    /// Is the exception thrown because there is no account in the token cache?
+    /// </summary>
+    /// <param name="ex">Exception thrown by <see cref="ITokenAcquisition"/>.GetTokenForXX methods.</param>
+    /// <returns>A boolean telling if the exception was about not having an account in the cache</returns>
+    private static bool AccountDoesNotExitInTokenCache(MicrosoftIdentityWebChallengeUserException ex)
+    {
+        return ex.InnerException is MsalUiRequiredException
+                                  && ((MsalUiRequiredException)ex.InnerException).ErrorCode == "user_null";
+    }
+}

2-WebApp-graph-user/2-6-BFF-Proxy/README.md

@@ -171,7 +171,7 @@ Open the project in your IDE (like Visual Studio or Visual Studio Code) to confi
 From your shell or command line, execute the following commands:
 
 ```console
-    cd 2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF
+    cd 2-WebApp-graph-user/2-6-BFF-Proxy
     dotnet run
 ```