update readme, handle cae

Author: derisen

2-WebApp-graph-user/2-6-BFF-Proxy/AppCreationScripts/sample.json

@@ -27,7 +27,7 @@
             "HomePage": "https://localhost:7000",
             "ReplyUrls": "https://localhost:7000/api/auth/signin-oidc, https://localhost:7000/api/auth/signout-oidc",
             "SDK": "MicrosoftIdentityWeb",
-            "SampleSubPath": "2-WebApp-graph-user\\2-6-BFF-Proxy",
+            "SampleSubPath": "2-WebApp-graph-user\\2-6-BFF-Proxy\\CallGraphBFF",
             "PasswordCredentials": "Auto",
             "Certificate": "Auto",
             "RequiredResourcesAccess": [

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/ClientApp/src/AuthProvider.js

@@ -15,7 +15,7 @@ const AuthProviderHOC = (C) =>
             await this.getAccount();
         }
 
-        login = (postLoginRedirectUri, claimsChallenge) => {
+        login = (postLoginRedirectUri, scopesToConsent) => {
             let url = "api/auth/login";
 
             const searchParams = new URLSearchParams({});
@@ -24,8 +24,8 @@ const AuthProviderHOC = (C) =>
                 searchParams.append('postLoginRedirectUri', encodeURIComponent(postLoginRedirectUri));
             }
 
-            if (claimsChallenge) {
-                searchParams.append('claimsChallenge', JSON.stringify(claimsChallenge));
+            if (scopesToConsent) {
+                searchParams.append('scopesToConsent', scopesToConsent.join(' '));
             }
 
             url = `${url}?${searchParams.toString()}`;
@@ -36,12 +36,12 @@ const AuthProviderHOC = (C) =>
         logout = (postLogoutRedirectUri) => {
             this.setState({ isAuthenticated: false, account: null });
 
-            let url = "api/auth/login";
+            let url = "api/auth/logout";
 
             const searchParams = new URLSearchParams({});
 
             if (postLogoutRedirectUri) {
-                searchParams.append('postLoginRedirectUri', encodeURIComponent(postLogoutRedirectUri));
+                searchParams.append('postLogoutRedirectUri', encodeURIComponent(postLogoutRedirectUri));
             }
 
             url = `${url}?${searchParams.toString()}`;

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/ClientApp/src/components/FetchGraph.js

@@ -42,10 +42,6 @@ export class FetchGraph extends Component {
         const data = await response.json();
         this.setState({ profile: data, loading: false });
       } else if (response.status === 401) {
-        if (response.body) {
-          const claims = await response.json();
-          this.props.login(window.location.href, claims);
-        }
         this.props.login(window.location.href);
       }
     } catch (error) {

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/Controllers/AuthController.cs

@@ -1,54 +1,51 @@
-using System.Security.Claims;
-using System.Web;
+using System.Web;
+using System.Security.Claims;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
-using static Microsoft.Graph.Constants;
 
 namespace TodoListBFF.Controllers;
 
 [Route("api/[controller]")]
 public class AuthController : Controller
 {
     [HttpGet("login")]
-    public ActionResult Login(string? postLoginRedirectUri, string? claimsChallenge)
+    public ActionResult Login(string? postLoginRedirectUri)
     {
         string redirectUri = !string.IsNullOrEmpty(postLoginRedirectUri) ? HttpUtility
             .UrlDecode(postLoginRedirectUri) : "/";
 
+        string claims = HttpContext.Session.GetString("claimsChallenge") ?? "";
+
         var props = new AuthenticationProperties { RedirectUri = redirectUri };
 
-        if (claimsChallenge != null)
+        if (!string.IsNullOrEmpty(claims))
         {
-            string jsonString = claimsChallenge
-                .Replace("\\", "")
-                .Trim(new char[1] { '"' });
-
-            string? loginHint = (this.User.Identity as ClaimsIdentity)?.Claims
-                .FirstOrDefault(c => c.Type == "login_hint")?.Value;
-
-            props.Items["claims"] = jsonString;
-            props.Items["login_hint"] = loginHint;
+            props.Items["claims"] = claims; // attach the challenge to the request
+            HttpContext.Session.Remove("claimsChallenge"); // discard the challenge in session
         }
 
         return Challenge(props);
     }
 
     [Authorize]
     [HttpGet("logout")]
-    public async Task<ActionResult> Logout()
+    public async Task<ActionResult> Logout(string? postLogoutRedirectUri)
     {
-        await HttpContext.SignOutAsync();
+        string redirectUri = !string.IsNullOrEmpty(postLogoutRedirectUri) ? HttpUtility
+            .UrlDecode(postLogoutRedirectUri) : "/";
 
-        var props = new AuthenticationProperties { RedirectUri = "/" };
+        var props = new AuthenticationProperties { RedirectUri = redirectUri };
 
+        // Sign out from both cookie and OIDC authentication schemes
         List<string> optionList = new List<string> { 
             CookieAuthenticationDefaults.AuthenticationScheme,
             OpenIdConnectDefaults.AuthenticationScheme 
         };
 
+        await HttpContext.SignOutAsync();
         return new SignOutResult(optionList, props);
     }
 

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/Controllers/ProfileController.cs

@@ -33,15 +33,18 @@ public async Task<ActionResult<User>> GetProfile()
         catch (ServiceException svcex) 
         when (svcex.InnerException is MicrosoftIdentityWebChallengeUserException)
         {
-            return Unauthorized("MicrosoftIdentityWebChallengeUserException occurred.\n" + svcex.Message);
+            return Unauthorized("MicrosoftIdentityWebChallengeUserException occurred\n" + svcex.Message);
         }
         catch (ServiceException svcex) 
         when (svcex.Message.Contains("Continuous access evaluation"))
         {
-            string claimChallenge = WwwAuthenticateParameters
+            string claimsChallenge = WwwAuthenticateParameters
                 .GetClaimChallengeFromResponseHeaders(svcex.ResponseHeaders);
 
-            return Unauthorized(claimChallenge);
+            // Set the claims challenge string to session, which will be used during the next login request
+            HttpContext.Session.SetString("claimsChallenge", claimsChallenge);
+
+            return Unauthorized("Continuous access evaluation resulted in claims challenge\n" + svcex.Message);
         }
         catch (Exception ex)
         {

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/Program.cs

@@ -11,20 +11,30 @@
 // This flag ensures that the ClaimsIdentity claims collection will be built from the claims in the token
 JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
 
-// Add services to the container.
+builder.Services.AddDistributedMemoryCache();
+
+// Add Microsoft.Identity.Web services to the container.
 builder.Services.AddMicrosoftIdentityWebAppAuthentication(builder.Configuration)
     .EnableTokenAcquisitionToCallDownstreamApi(builder.Configuration.GetSection("DownstreamApi:Scopes").Value.Split(' '))
     .AddMicrosoftGraph(builder.Configuration.GetValue<string>("DownstreamApi:BaseUrl"), builder.Configuration.GetValue<string>("DownstreamApi:Scopes"))
     .AddInMemoryTokenCaches();
 
+// Add session for sharing non-sensitive strings between routes.
+builder.Services.AddSession(options =>
+{
+    options.IdleTimeout = TimeSpan.FromSeconds(30);
+    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+    options.Cookie.HttpOnly = true;
+    options.Cookie.IsEssential = true;
+});
+
+// Configure cookie properties for ASP.NET Core cookie authentication.
 builder.Services.Configure<CookieAuthenticationOptions>(CookieAuthenticationDefaults.AuthenticationScheme, options => {
     options.Cookie.SameSite = SameSiteMode.Strict;
     options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
     options.Cookie.HttpOnly = true;
     options.Cookie.IsEssential = true;
-
-    options.Events = new RespondUnauthorizedWhenSessionCookieNotFoundEvents();
-    options.Events = new RejectSessionCookieWhenAccountNotInCacheEvents();
+    options.Events = new CustomCookieAuthenticationEvents(); // modifies the behavior of certain cookie authentication events.
 });
 
 builder.Services.AddControllersWithViews()
@@ -46,6 +56,8 @@
 app.UseAuthentication();
 app.UseAuthorization();
 
+app.UseSession();
+
 app.MapControllerRoute(
     name: "default",
     pattern: "{controller}/{action=Index}/{id?}");

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/Utils/RejectSessionCookieWhenAccountNotInCacheEvents.cs renamed to 2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/Utils/CustomCookieAuthenticationEvents.cs

@@ -1,17 +1,33 @@
-using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.Identity.Client;
 using Microsoft.Identity.Web;
+using System.Net;
 
-internal class RejectSessionCookieWhenAccountNotInCacheEvents : CookieAuthenticationEvents
+internal class CustomCookieAuthenticationEvents : CookieAuthenticationEvents
 {
+    // Respond with 401 instead of redirect to IdP for unauthenticated attempts to access a secure route
+    public override Task RedirectToLogin(RedirectContext<CookieAuthenticationOptions> context)
+    {
+        context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
+        return Task.CompletedTask;
+    }
+
+    public override Task RedirectToAccessDenied(RedirectContext<CookieAuthenticationOptions> context)
+    {
+        context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
+        return Task.CompletedTask;
+    }
+
+    // Reject authentication cookie if no tokens are found in the cache
     public async override Task ValidatePrincipal(CookieValidatePrincipalContext context)
     {
         try
         {
             var tokenAcquisition = context.HttpContext.RequestServices.GetRequiredService<ITokenAcquisition>();
 
             string token = await tokenAcquisition.GetAccessTokenForUserAsync(
-                scopes: new[] { "user.read" },
+                scopes: new[] { "User.Read" },
                 user: context.Principal);
         }
         catch (MicrosoftIdentityWebChallengeUserException ex) when (AccountDoesNotExitInTokenCache(ex))
@@ -23,7 +39,7 @@ public async override Task ValidatePrincipal(CookieValidatePrincipalContext cont
     /// <summary>
     /// Is the exception thrown because there is no account in the token cache?
     /// </summary>
-    /// <param name="ex">Exception thrown by <see cref="ITokenAcquisition"/>.GetTokenForXX methods.</param>
+    /// <param name="ex">Exception thrown by <see cref="ITokenAcquisition"/>.GetTokenForX methods.</param>
     /// <returns>A boolean telling if the exception was about not having an account in the cache</returns>
     private static bool AccountDoesNotExitInTokenCache(MicrosoftIdentityWebChallengeUserException ex)
     {

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/Utils/RespondUnauthorizedWhenSessionCookieNotFoundEvents.cs

@@ -1,7 +1,7 @@
 {
   "AzureAd": {
     "Instance": "https://login.microsoftonline.com/",
-    "TenantId": "[Enter 'common', or 'organizations' or the Tenant Id (Obtained from the Azure portal. Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs), e.g. da41245a5-11b3-996c-00a8-4d99re19f292]",
+    "TenantId": "[Enter 'common', or 'organizations' or the Tenant Id (obtained from the Azure portal. Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs), e.g. da41245a5-11b3-996c-00a8-4d99re19f292]",
     "ClientId": "[Enter the Client Id (Application ID obtained from the Azure portal), e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]",
     "ClientSecret": "[Copy the client secret added to the app from the Azure portal]",
     //"ClientCertificates": [
@@ -17,7 +17,7 @@
   },
   "DownstreamApi": {
     "BaseUrl": "https://graph.microsoft.com/v1.0",
-    "Scopes": "user.read"
+    "Scopes": "User.Read"
   },
   "Logging": {
     "LogLevel": {