Updating the token cache providers (#106)

* updating the token cache providers to prepare
- for MSAL 4.x (which introduces async token cache serialization)
- and also reusing the ConfidentialClientApplication in the TokenAcquisition service (as the cache can now be overriden when it's deserialied)

Problems fixed:
1. The token cache serialization providers used to keep the token cache as a member of the class and applied serialization and deserialization methods to this member.
  1. They now use the `TokenCache` provided as a member of the `TokenCacheNotificationArgs`. Using the cache kept in the provider itself will break in MSAL 4.0 where we introduce the async serialization notifications

  ```Text
  NotImplementedException: This is removed in MSAL.NET v4. Read more: https://aka.ms/msal-net-4x-cache-breaking-change
  Microsoft.Identity.Client.TokenCache.DeserializeMsalV3(byte[] msalV3State, bool shouldClearExistingCache)
  ```

  1. Given that some of the cache providers are a singleton in ASP.NET Core, there was a race condition (See also point #2).

1. They used to keep the user as a member of the class (the user when the cache was initialized)
   1. Again this was a race condition when the provider was a singleton: the Web app was accessed by many users.

  1. They how allow us to keep the same instance of ConfidentialClientApplication. This is a new requirement coming from Graph SDK. They use the deserializer override that has a boolean parameter to overrides the cache.

Also fixing:
- the aka.ms link to point to docs.microsoft.com and no longer to the wiki
- renaming the solution

cc: @bgavrilMS @kalyankrishna1 @TiagoBrenck

Author: jmprieur

2-WebApp-graph-user/2-1-Call-MSGraph/WebApp-OpenIDConnect-DotNet.sln renamed to 2-WebApp-graph-user/2-1-Call-MSGraph/AspnetCoreWebApp-calls-Microsoft-Graph.sln

@@ -259,9 +259,12 @@ public async Task RemoveAccount(RedirectContext context)
                 account = accounts.FirstOrDefault(a => a.Username == user.GetLoginHint());
             }
 
-             this.UserTokenCacheProvider?.Clear();
+            if (account!=null)
+            {
+                this.UserTokenCacheProvider?.Clear(account.HomeAccountId.Identifier);
 
-            await app.RemoveAsync(account);
+                await app.RemoveAsync(account);
+            }
         }
 
         /// <summary>
@@ -391,24 +394,24 @@ private void AddAccountToCacheFromJwt(IEnumerable<string> scopes, JwtSecurityTok
         /// </summary>
         /// <param name="httpContext">HttpContext</param>
         /// <param name="scopes">Scopes to consent to</param>
-        /// <param name="msalSeviceException"><see cref="MsalUiRequiredException"/> triggering the challenge</param>
+        /// <param name="msalServiceException"><see cref="MsalUiRequiredException"/> triggering the challenge</param>
 
-        public void ReplyForbiddenWithWwwAuthenticateHeader(HttpContext httpContext, IEnumerable<string> scopes, MsalUiRequiredException msalSeviceException)
+        public void ReplyForbiddenWithWwwAuthenticateHeader(HttpContext httpContext, IEnumerable<string> scopes, MsalUiRequiredException msalServiceException)
         {
             // A user interaction is required, but we are in a Web API, and therefore, we need to report back to the client through an wwww-Authenticate header https://tools.ietf.org/html/rfc6750#section-3.1
             string proposedAction = "consent";
-            if (msalSeviceException.ErrorCode == MsalError.InvalidGrantError)
+            if (msalServiceException.ErrorCode == MsalError.InvalidGrantError)
             {
-                if (AcceptedTokenVersionIsNotTheSameAsTokenVersion(msalSeviceException))
+                if (AcceptedTokenVersionIsNotTheSameAsTokenVersion(msalServiceException))
                 {
-                    throw msalSeviceException;
+                    throw msalServiceException;
                 }
             }
 
             IDictionary<string, string> parameters = new Dictionary<string, string>()
                 {
                     { "clientId", azureAdOptions.ClientId },
-                    { "claims", msalSeviceException.Claims },
+                    { "claims", msalServiceException.Claims },
                     { "scopes", string.Join(",", scopes) },
                     { "proposedAction", proposedAction }
                 };

Microsoft.Identity.Web/Client/TokenAcquisition.cs

@@ -42,6 +42,6 @@ public interface IMSALUserTokenCacheProvider
         /// <summary>
         /// Clears the token cache for this user
         /// </summary>
-        void Clear();
+        void Clear(string accountId);
     }
 }

Microsoft.Identity.Web/Client/TokenCacheProviders/IMSALUserTokenCacheProvider.cs

@@ -36,7 +36,7 @@ namespace Microsoft.Identity.Web.Client.TokenCacheProviders
     /// An implementation of token cache for Confidential clients backed by MemoryCache.
     /// MemoryCache is useful in Api scenarios where there is no HttpContext to cache data.
     /// </summary>
-    /// <seealso cref="https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/token-cache-serialization"/>
+    /// <seealso cref="https://aka.ms/msal-net-token-cache-serialization"/>
     public class MSALAppMemoryTokenCacheProvider : IMSALAppTokenCacheProvider
     {
         /// <summary>
@@ -49,17 +49,12 @@ public class MSALAppMemoryTokenCacheProvider : IMSALAppTokenCacheProvider
         /// </summary>
         internal IMemoryCache memoryCache;
 
-        /// <summary>
-        /// The internal handle to the client's instance of the Cache
-        /// </summary>
-        private ITokenCache ApptokenCache;
-
         private readonly MSALMemoryTokenCacheOptions CacheOptions;
 
         /// <summary>
         /// The App's whose cache we are maintaining.
         /// </summary>
-        private string AppId;
+        private readonly string AppId;
 
         public MSALAppMemoryTokenCacheProvider(IMemoryCache cache,
             MSALMemoryTokenCacheOptions option,
@@ -90,12 +85,9 @@ public void Initialize(ITokenCache tokenCache, HttpContext httpcontext)
         {
             this.AppCacheId = this.AppId + "_AppTokenCache";
 
-            this.ApptokenCache = tokenCache;
-            this.ApptokenCache.SetBeforeAccess(this.AppTokenCacheBeforeAccessNotification);
-            this.ApptokenCache.SetAfterAccess(this.AppTokenCacheAfterAccessNotification);
-            this.ApptokenCache.SetBeforeWrite(this.AppTokenCacheBeforeWriteNotification);
-
-            this.LoadAppTokenCacheFromMemory();
+            tokenCache.SetBeforeAccess(this.AppTokenCacheBeforeAccessNotification);
+            tokenCache.SetAfterAccess(this.AppTokenCacheAfterAccessNotification);
+            tokenCache.SetBeforeWrite(this.AppTokenCacheBeforeWriteNotification);
         }
 
         /// <summary>
@@ -107,33 +99,12 @@ private void AppTokenCacheBeforeWriteNotification(TokenCacheNotificationArgs arg
             // Since we are using a MemoryCache ,whose methods are threads safe, we need not to do anything in this handler.
         }
 
-        /// <summary>
-        /// Loads the application's token from memory cache.
-        /// </summary>
-        private void LoadAppTokenCacheFromMemory()
-        {
-            byte[] tokenCacheBytes = (byte[])this.memoryCache.Get(this.AppCacheId);
-            this.ApptokenCache.DeserializeMsalV3(tokenCacheBytes);
-        }
-
-        /// <summary>
-        /// Persists the application's token to the cache.
-        /// </summary>
-        private void PersistAppTokenCache()
-        {
-            // Reflect changes in the persistence store
-            this.memoryCache.Set(this.AppCacheId, this.ApptokenCache.SerializeMsalV3(), CacheOptions.AbsoluteExpiration);
-        }
-
         /// <summary>
         /// Clears the token cache for this app
         /// </summary>
         public void Clear()
         {
             this.memoryCache.Remove(this.AppCacheId);
-
-            // Nulls the currently deserialized instance
-            this.LoadAppTokenCacheFromMemory();
         }
 
         /// <summary>
@@ -142,7 +113,9 @@ public void Clear()
         /// <param name="args">Contains parameters used by the MSAL call accessing the cache.</param>
         private void AppTokenCacheBeforeAccessNotification(TokenCacheNotificationArgs args)
         {
-            this.LoadAppTokenCacheFromMemory();
+            // Load the token cache from memory
+            byte[] tokenCacheBytes = (byte[])this.memoryCache.Get(this.AppCacheId);
+            args.TokenCache.DeserializeMsalV3(tokenCacheBytes, shouldClearExistingCache: true);
         }
 
         /// <summary>
@@ -154,7 +127,8 @@ private void AppTokenCacheAfterAccessNotification(TokenCacheNotificationArgs arg
             // if the access operation resulted in a cache update
             if (args.HasStateChanged)
             {
-                this.PersistAppTokenCache();
+                // Reflect changes in the persistence store
+                this.memoryCache.Set(this.AppCacheId, args.TokenCache.SerializeMsalV3(), CacheOptions.AbsoluteExpiration);
             }
         }
     }

Microsoft.Identity.Web/Client/TokenCacheProviders/InMemory/MSALAppMemoryTokenCacheProvider.cs

@@ -23,6 +23,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 */
 
 using Microsoft.AspNetCore.Authentication.AzureAD.UI;
+using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Caching.Memory;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
@@ -72,11 +73,12 @@ public static IServiceCollection AddInMemoryAppTokenCache(this IServiceCollectio
         public static IServiceCollection AddInMemoryPerUserTokenCache(this IServiceCollection services, MSALMemoryTokenCacheOptions cacheOptions)
         {
             services.AddMemoryCache();
-
+            services.AddHttpContextAccessor();
             services.AddSingleton<IMSALUserTokenCacheProvider>(factory =>
             {
                 var memoryCache = factory.GetRequiredService<IMemoryCache>();
-                return new MSALPerUserMemoryTokenCacheProvider(memoryCache, cacheOptions);
+                IHttpContextAccessor httpContextAccessor = factory.GetRequiredService<IHttpContextAccessor>();
+                return new MSALPerUserMemoryTokenCacheProvider(memoryCache, cacheOptions, httpContextAccessor);
             });
 
             return services;

Microsoft.Identity.Web/Client/TokenCacheProviders/InMemory/MSALAppMemoryTokenCacheProviderExtension.cs

@@ -34,31 +34,27 @@ namespace Microsoft.Identity.Web.Client.TokenCacheProviders
     /// An implementation of token cache for both Confidential and Public clients backed by MemoryCache.
     /// MemoryCache is useful in Api scenarios where there is no HttpContext.Session to cache data.
     /// </summary>
-    /// <seealso cref="https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/token-cache-serialization"/>
+    /// <seealso cref="https://aka.ms/msal-net-token-cache-serialization"/>
     public class MSALPerUserMemoryTokenCacheProvider : IMSALUserTokenCacheProvider
     {
         /// <summary>
         /// The backing MemoryCache instance
         /// </summary>
         internal IMemoryCache memoryCache;
 
-        /// <summary>
-        /// The internal handle to the client's instance of the Cache
-        /// </summary>
-        private ITokenCache UserTokenCache;
+        private readonly MSALMemoryTokenCacheOptions CacheOptions;
 
         /// <summary>
-        /// Once the user signes in, this will not be null and can be ontained via a call to Thread.CurrentPrincipal
+        /// Enables the singleton object to access the right HttpContext
         /// </summary>
-        internal ClaimsPrincipal SignedInUser;
-
-        private readonly MSALMemoryTokenCacheOptions CacheOptions;
+        private IHttpContextAccessor httpContextAccessor;
 
         /// <summary>Initializes a new instance of the <see cref="MSALPerUserMemoryTokenCache"/> class.</summary>
         /// <param name="cache">The memory cache instance</param>
-        public MSALPerUserMemoryTokenCacheProvider(IMemoryCache cache, MSALMemoryTokenCacheOptions option)
+        public MSALPerUserMemoryTokenCacheProvider(IMemoryCache cache, MSALMemoryTokenCacheOptions option, IHttpContextAccessor httpContextAccessor)
         {
             this.memoryCache = cache;
+            this.httpContextAccessor = httpContextAccessor;
 
             if (option != null)
             {
@@ -76,70 +72,17 @@ public MSALPerUserMemoryTokenCacheProvider(IMemoryCache cache, MSALMemoryTokenCa
         /// <param name="user">The signed-in user for whom the cache needs to be established. Not needed by all providers.</param>
         public void Initialize(ITokenCache tokenCache, HttpContext httpcontext, ClaimsPrincipal user)
         {
-            this.SignedInUser = user;
-
-            this.UserTokenCache = tokenCache;
-            this.UserTokenCache.SetBeforeAccess(this.UserTokenCacheBeforeAccessNotification);
-            this.UserTokenCache.SetAfterAccess(this.UserTokenCacheAfterAccessNotification);
-            this.UserTokenCache.SetBeforeWrite(this.UserTokenCacheBeforeWriteNotification);
-
-            if (this.SignedInUser == null)
-            {
-                // No users signed in yet, so we return
-                return;
-            }
-
-            this.LoadUserTokenCacheFromMemory();
-        }
-
-        /// <summary>
-        /// Explores the Claims of a signed-in user (if available) to populate the unique Id of this cache's instance.
-        /// </summary>
-        /// <returns>The signed in user's object.tenant Id , if available in the ClaimsPrincipal.Current instance</returns>
-        internal string GetMsalAccountId()
-        {
-            if (this.SignedInUser != null)
-            {
-                return this.SignedInUser.GetMsalAccountId();
-            }
-            return null;
-        }
-
-        /// <summary>Loads the user token cache from memory.</summary>
-        private void LoadUserTokenCacheFromMemory()
-        {
-            string cacheKey = this.GetMsalAccountId();
-
-            if (string.IsNullOrWhiteSpace(cacheKey))
-                return;
-
-            byte[] tokenCacheBytes = (byte[])this.memoryCache.Get(this.GetMsalAccountId());
-            this.UserTokenCache.DeserializeMsalV3(tokenCacheBytes);
-        }
-
-        /// <summary>
-        /// Persists the user token blob to the memoryCache.
-        /// </summary>
-        private void PersistUserTokenCache()
-        {
-            string cacheKey = this.GetMsalAccountId();
-
-            if (string.IsNullOrWhiteSpace(cacheKey))
-                return;
-
-            // Ideally, methods that load and persist should be thread safe.MemoryCache.Get() is thread safe.
-            this.memoryCache.Set(this.GetMsalAccountId(), this.UserTokenCache.SerializeMsalV3(), this.CacheOptions.AbsoluteExpiration);
+            tokenCache.SetBeforeAccess(this.UserTokenCacheBeforeAccessNotification);
+            tokenCache.SetAfterAccess(this.UserTokenCacheAfterAccessNotification);
+            tokenCache.SetBeforeWrite(this.UserTokenCacheBeforeWriteNotification);
         }
 
         /// <summary>
         /// Clears the TokenCache's copy of this user's cache.
         /// </summary>
-        public void Clear()
+        public void Clear(string accountId)
         {
-            this.memoryCache.Remove(this.GetMsalAccountId());
-
-            // Nulls the currently deserialized instance
-            this.LoadUserTokenCacheFromMemory();
+            this.memoryCache.Remove(accountId);
         }
 
         /// <summary>
@@ -148,12 +91,21 @@ public void Clear()
         /// <param name="args">Contains parameters used by the MSAL call accessing the cache.</param>
         private void UserTokenCacheAfterAccessNotification(TokenCacheNotificationArgs args)
         {
-            this.SetSignedInUserFromNotificationArgs(args);
-
             // if the access operation resulted in a cache update
             if (args.HasStateChanged)
             {
-                this.PersistUserTokenCache();
+                string cacheKey = args.Account?.HomeAccountId?.Identifier;
+                if (string.IsNullOrEmpty(cacheKey))
+                {
+                    cacheKey = httpContextAccessor.HttpContext.User.GetMsalAccountId();
+                }
+
+                if (string.IsNullOrWhiteSpace(cacheKey))
+                    return;
+
+                // Ideally, methods that load and persist should be thread safe.MemoryCache.Get() is thread safe.
+                this.memoryCache.Set(cacheKey, args.TokenCache.SerializeMsalV3(), this.CacheOptions.AbsoluteExpiration);
+
             }
         }
 
@@ -164,7 +116,17 @@ private void UserTokenCacheAfterAccessNotification(TokenCacheNotificationArgs ar
         /// <param name="args">Contains parameters used by the MSAL call accessing the cache.</param>
         private void UserTokenCacheBeforeAccessNotification(TokenCacheNotificationArgs args)
         {
-            this.LoadUserTokenCacheFromMemory();
+            string cacheKey = args.Account?.HomeAccountId?.Identifier;
+            if (string.IsNullOrEmpty(cacheKey))
+            {
+                cacheKey = httpContextAccessor.HttpContext.User.GetMsalAccountId();
+            }
+
+            if (string.IsNullOrWhiteSpace(cacheKey))
+                return;
+
+            byte[] tokenCacheBytes = (byte[])this.memoryCache.Get(cacheKey);
+            args.TokenCache.DeserializeMsalV3(tokenCacheBytes, shouldClearExistingCache:true);
         }
 
         /// <summary>
@@ -174,18 +136,5 @@ private void UserTokenCacheBeforeAccessNotification(TokenCacheNotificationArgs a
         private void UserTokenCacheBeforeWriteNotification(TokenCacheNotificationArgs args)
         {
         }
-
-        /// <summary>
-        /// To keep the cache, ClaimsPrincipal and Sql in sync, we ensure that the user's object Id we obtained by MSAL after
-        /// successful sign-in is set as the key for the cache.
-        /// </summary>
-        /// <param name="args">Contains parameters used by the MSAL call accessing the cache.</param>
-        private void SetSignedInUserFromNotificationArgs(TokenCacheNotificationArgs args)
-        {
-            if (this.SignedInUser == null && args.Account != null)
-            {
-                this.SignedInUser = args.Account.ToClaimsPrincipal();
-            }
-        }
     }
 }