Merge branch 'master' into kkrishna/updates2019

Author: Kalyan Krishna

2-WebApp-graph-user/2-2-TokenCache/README.md

@@ -51,6 +51,15 @@ Go to the `"2-WebApp-graph-user\2-2-TokenCache"` folder
 #### In the appsettings.json file, configure a Sql server database for token caching, if you have not already done so:
 
 1. In the `TokenCacheDbConnStr` key, provide the Sql server connection string to the database you wish to use for token caching.
+   > Note:
+   > If you want to test this sample locally with Visual Studio, you might want to use localdb, which is installed with Visual Studio.
+   > In that case, use the following connection string:
+   >
+   > ```XML
+   >  "ConnectionStrings": {
+   >   "TokenCacheDbConnStr": "Data Source=(LocalDb)\\MSSQLLocalDB;Database=MY_TOKEN_CACHE_DATABASE;Trusted_Connection=True;"
+   > },
+   > ```
 1. If you do not have an existing database and tables needed for token caching, this sample can use  [EF Core- code first](https://docs.microsoft.com/en-us/ef/core/get-started/aspnetcore/new-db?tabs=visual-studio) to create a database and tables for you. to do that, follow the steps below.
     1. In the file `Microsoft.Identity.Web\Client\TokenCacheProviders\Sql\MSALAppSqlTokenCacheProviderExtension.cs`, uncomment the code under the **// Uncomment the following lines to create the database.**. This comment exists once in the **AddSqlAppTokenCache** and **AddSqlPerUserTokenCache**  methods.
     1. Run the solution again, when a user signs-in the very first time, the Entity Framework will create the database and tables  `AppTokenCache` and `UserTokenCache` for app and user token caching respectively.

2-WebApp-graph-user/2-2-TokenCache/appsettings.json

@@ -9,7 +9,13 @@
 
     // To call an API
     "ClientSecret": "[Enter app key of the first app as obtained from Azure Portal, e.g. rZJJ9bHSi/cYnYwmQFxLYDn/6EfnrnIfKoNzv9NKgbo]"
-},
+  },
+
+  /*
+    To try the sample locally on your development machine, if you have installed Visual Studio you can
+    use the following connection string
+      "TokenCacheDbConnStr": "Data Source=(LocalDb)\\MSSQLLocalDB;Database=MY_TOKEN_CACHE_DATABASE;Trusted_Connection=True;"
+  */
   "ConnectionStrings": {
     "TokenCacheDbConnStr": "[Enter the Sql server connection string, e.g. Server=MY_SQL_SERVER;Database=MY_TOKEN_CACHE_DATABASE;Trusted_Connection=True;"
   },

Microsoft.Identity.Web/Client/TokenAcquisition.cs

@@ -165,7 +165,20 @@ public async Task<string> GetAccessTokenOnBehalfOfUser(HttpContext context, IEnu
 
             // Use MSAL to get the right token to call the API
             var application = BuildConfidentialClientApplication(context, context.User);
-            return await GetAccessTokenOnBehalfOfUser(application, context.User, scopes, tenant);
+
+            // Case of a lazy OBO
+            Claim jwtClaim = context.User.FindFirst("jwt");
+            if (jwtClaim != null)
+            {
+                (context.User.Identity as ClaimsIdentity).RemoveClaim(jwtClaim);
+                var result = await application.AcquireTokenOnBehalfOf(scopes.Except(scopesRequestedByMsalNet), new UserAssertion(jwtClaim.Value))
+                                        .ExecuteAsync();
+                return result.AccessToken;
+            }
+            else
+            {
+                return await GetAccessTokenOnBehalfOfUser(application, context.User, scopes, tenant);
+            }
         }
 
         /// <summary>

Microsoft.Identity.Web/Client/TokenCacheProviders/InMemory/MSALAppMemoryTokenCacheProvider.cs

@@ -128,7 +128,7 @@ private void AppTokenCacheAfterAccessNotification(TokenCacheNotificationArgs arg
             if (args.HasStateChanged)
             {
                 // Reflect changes in the persistence store
-                this.memoryCache.Set(this.AppCacheId, args.TokenCache.SerializeMsalV3(), CacheOptions.AbsoluteExpiration);
+                this.memoryCache.Set(this.AppCacheId, args.TokenCache.SerializeMsalV3(), CacheOptions.SlidingExpiration);
             }
         }
     }

Microsoft.Identity.Web/Client/TokenCacheProviders/InMemory/MSALAppMemoryTokenCacheProviderExtension.cs

@@ -39,7 +39,7 @@ public static class MSALAppMemoryTokenCacheProviderExtension
         /// <returns></returns>
         public static IServiceCollection AddInMemoryTokenCaches(this IServiceCollection services, MSALMemoryTokenCacheOptions cacheOptions = null)
         {
-            var memoryCacheoptions = (cacheOptions == null) ? new MSALMemoryTokenCacheOptions { AbsoluteExpiration = DateTimeOffset.Now.AddDays(14) }
+            var memoryCacheoptions = (cacheOptions == null) ? new MSALMemoryTokenCacheOptions { SlidingExpiration = TimeSpan.FromDays(14) }
             : cacheOptions;
 
             AddInMemoryAppTokenCache(services, memoryCacheoptions);

Microsoft.Identity.Web/Client/TokenCacheProviders/InMemory/MSALMemoryTokenCacheOptions.cs

@@ -38,15 +38,15 @@ public class MSALMemoryTokenCacheOptions
         /// <value>
         /// The AbsoluteExpiration value.
         /// </value>
-        public DateTimeOffset AbsoluteExpiration
+        public TimeSpan SlidingExpiration
         {
             get;
             set;
         }
 
         public MSALMemoryTokenCacheOptions()
         {
-            this.AbsoluteExpiration = DateTimeOffset.Now.AddHours(12);
+            this.SlidingExpiration = TimeSpan.FromHours(12);
         }
     }
 }

Microsoft.Identity.Web/Client/TokenCacheProviders/InMemory/MSALPerUserMemoryTokenCacheProvider.cs

@@ -104,7 +104,7 @@ private void UserTokenCacheAfterAccessNotification(TokenCacheNotificationArgs ar
                     return;
 
                 // Ideally, methods that load and persist should be thread safe.MemoryCache.Get() is thread safe.
-                this.memoryCache.Set(cacheKey, args.TokenCache.SerializeMsalV3(), this.CacheOptions.AbsoluteExpiration);
+                this.memoryCache.Set(cacheKey, args.TokenCache.SerializeMsalV3(), this.CacheOptions.SlidingExpiration);
 
             }
         }

Microsoft.Identity.Web/Client/TokenCacheProviders/Session/MSALAppSessionTokenCacheProvider.cs

@@ -29,6 +29,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 using System;
 using System.Diagnostics;
 using System.Threading;
+using System.Threading.Tasks;
 
 namespace Microsoft.Identity.Web.Client.TokenCacheProviders
 {
@@ -46,7 +47,12 @@ public class MSALAppSessionTokenCacheProvider : IMSALAppTokenCacheProvider
         /// <summary>
         /// The HTTP context being used by this app
         /// </summary>
-        internal HttpContext HttpContext = null;
+        internal HttpContext HttpContext { get { return httpContextAccessor.HttpContext; } }
+
+        /// <summary>
+        /// HTTP context accessor
+        /// </summary>
+        internal IHttpContextAccessor httpContextAccessor;
 
         /// <summary>
         /// The duration till the tokens are kept in memory cache. In production, a higher value , upto 90 days is recommended.
@@ -63,26 +69,26 @@ public class MSALAppSessionTokenCacheProvider : IMSALAppTokenCacheProvider
         /// <summary>Initializes a new instance of the <see cref="MSALAppSessionTokenCacheProvider"/> class.</summary>
         /// <param name="azureAdOptionsAccessor">The azure ad options accessor.</param>
         /// <exception cref="ArgumentNullException">AzureADOptions - The app token cache needs {nameof(AzureADOptions)}</exception>
-        public MSALAppSessionTokenCacheProvider(IOptionsMonitor<AzureADOptions> azureAdOptionsAccessor)
+        public MSALAppSessionTokenCacheProvider(IOptionsMonitor<AzureADOptions> azureAdOptionsAccessor, IHttpContextAccessor httpContextAccessor)
         {
+            this.httpContextAccessor = httpContextAccessor;
             if (azureAdOptionsAccessor.CurrentValue == null && string.IsNullOrWhiteSpace(azureAdOptionsAccessor.CurrentValue.ClientId))
             {
                 throw new ArgumentNullException(nameof(AzureADOptions), $"The app token cache needs {nameof(AzureADOptions)}, populated with clientId to initialize.");
             }
 
-            this.AppId = azureAdOptionsAccessor.CurrentValue.ClientId;
+            AppId = azureAdOptionsAccessor.CurrentValue.ClientId;
         }
 
         /// <summary>Initializes this instance of TokenCacheProvider with essentials to initialize themselves.</summary>
         /// <param name="tokenCache">The token cache instance of MSAL application</param>
         /// <param name="httpcontext">The Httpcontext whose Session will be used for caching.This is required by some providers.</param>
         public void Initialize(ITokenCache tokenCache, HttpContext httpcontext)
         {
-            this.AppCacheId = this.AppId + "_AppTokenCache";
-            this.HttpContext = httpcontext;
+            AppCacheId = this.AppId + "_AppTokenCache";
 
-            tokenCache.SetBeforeAccess(this.AppTokenCacheBeforeAccessNotification);
-            tokenCache.SetAfterAccess(this.AppTokenCacheAfterAccessNotification);
+            tokenCache.SetBeforeAccessAsync(this.AppTokenCacheBeforeAccessNotificationAsync);
+            tokenCache.SetAfterAccessAsync(this.AppTokenCacheAfterAccessNotificationAsync);
             tokenCache.SetBeforeWrite(this.AppTokenCacheBeforeWriteNotification);
         }
 
@@ -119,9 +125,9 @@ public void Clear()
         /// Triggered right before MSAL needs to access the cache. Reload the cache from the persistence store in case it changed since the last access.
         /// </summary>
         /// <param name="args">Contains parameters used by the MSAL call accessing the cache.</param>
-        private void AppTokenCacheBeforeAccessNotification(TokenCacheNotificationArgs args)
+        private async Task AppTokenCacheBeforeAccessNotificationAsync(TokenCacheNotificationArgs args)
         {
-            this.HttpContext.Session.LoadAsync().Wait();
+            await this.HttpContext.Session.LoadAsync();
 
             SessionLock.EnterReadLock();
             try
@@ -147,7 +153,7 @@ private void AppTokenCacheBeforeAccessNotification(TokenCacheNotificationArgs ar
         /// Triggered right after MSAL accessed the cache.
         /// </summary>
         /// <param name="args">Contains parameters used by the MSAL call accessing the cache.</param>
-        private void AppTokenCacheAfterAccessNotification(TokenCacheNotificationArgs args)
+        private async Task AppTokenCacheAfterAccessNotificationAsync(TokenCacheNotificationArgs args)
         {
             // if the access operation resulted in a cache update
             if (args.HasStateChanged)
@@ -159,8 +165,8 @@ private void AppTokenCacheAfterAccessNotification(TokenCacheNotificationArgs arg
 
                     // Reflect changes in the persistent store
                     byte[] blob = args.TokenCache.SerializeMsalV3();
-                    this.HttpContext.Session.Set(this.AppCacheId, blob);
-                    this.HttpContext.Session.CommitAsync().Wait();
+                    HttpContext.Session.Set(this.AppCacheId, blob);
+                    await HttpContext.Session.CommitAsync();
                 }
                 finally
                 {

Microsoft.Identity.Web/Client/TokenCacheProviders/Session/MSALAppSessionTokenCacheProviderExtension.cs

@@ -23,6 +23,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 */
 
 using Microsoft.AspNetCore.Authentication.AzureAD.UI;
+using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
 
@@ -46,9 +47,11 @@ public static IServiceCollection AddSessionTokenCaches(this IServiceCollection s
         /// <returns></returns>
         public static IServiceCollection AddSessionAppTokenCache(this IServiceCollection services)
         {
+            services.AddHttpContextAccessor();
             services.AddScoped<IMSALAppTokenCacheProvider>(factory =>
             {
-                return new MSALAppSessionTokenCacheProvider(factory.GetRequiredService<IOptionsMonitor<AzureADOptions>>());
+                return new MSALAppSessionTokenCacheProvider(factory.GetRequiredService<IOptionsMonitor<AzureADOptions>>(),
+                                                            factory.GetRequiredService<IHttpContextAccessor>());
             });
 
             return services;

Microsoft.Identity.Web/Client/TokenCacheProviders/Sql/MSALAppSqlTokenCacheProviderExtension.cs

@@ -52,12 +52,13 @@ public static IServiceCollection AddSqlAppTokenCache(this IServiceCollection ser
         {
             // Uncomment the following lines to create the database. In production scenarios, the database
             // will most probably be already present.
-            //var tokenCacheDbContextBuilder = new DbContextOptionsBuilder<TokenCacheDbContext>();
-            //tokenCacheDbContextBuilder.UseSqlServer(sqlTokenCacheOptions.SqlConnectionString);
-
-            //var tokenCacheDbContext = new TokenCacheDbContext(tokenCacheDbContextBuilder.Options);
-            //tokenCacheDbContext.Database.EnsureCreated();
+/*
+            var tokenCacheDbContextBuilder = new DbContextOptionsBuilder<TokenCacheDbContext>();
+            tokenCacheDbContextBuilder.UseSqlServer(sqlTokenCacheOptions.SqlConnectionString);
 
+            var tokenCacheDbContextForCreation = new TokenCacheDbContext(tokenCacheDbContextBuilder.Options);
+            tokenCacheDbContextForCreation.Database.EnsureCreated();
+*/
             services.AddDataProtection();
 
             services.AddDbContext<TokenCacheDbContext>(options =>