Merge branch 'master' into tibre/fix158

# Conflicts:
#	4-WebApp-your-API/Client/Controllers/TodoListController.cs
#	Microsoft.Identity.Web/Client/TokenCacheProviders/Sql/MSALAppSqlTokenCacheProviderExtension.cs

Author: Tiago Brenck

4-WebApp-your-API/Client/Controllers/TodoListController.cs

@@ -1,7 +1,7 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.Identity.Client;
 using Microsoft.Identity.Web.Client;
-using System.Collections.Generic;
 using System.Threading.Tasks;
 using TodoListClient.Services;
 using TodoListService.Models;
@@ -11,15 +11,14 @@ namespace TodoListClient.Controllers
     public class TodoListController : Controller
     {
         private ITodoListService _todoListService;
-        private IList<Todo> Model = new List<Todo>();
 
         public TodoListController(ITodoListService todoListService)
         {
             _todoListService = todoListService;
         }
 
         // GET: TodoList
-        //[MsalUiRequiredExceptionFilter(ScopeKeySection = "TodoList:TodoListScope")]
+        [MsalUiRequiredExceptionFilter(ScopeKeySection = "TodoList:TodoListScope")]
         public async Task<ActionResult> Index()
         {
             return View(await _todoListService.GetAsync());

Microsoft.Identity.Web/Client/MsalUiRequiredExceptionFilterAttribute.cs

@@ -2,8 +2,11 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Identity.Client;
 using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using System;
 using System.Collections.Generic;
 using System.Linq;
 
@@ -25,6 +28,11 @@ public class MsalUiRequiredExceptionFilterAttribute : ExceptionFilterAttribute
     {
         public string[] Scopes { get; set; }
 
+        /// <summary>
+        /// Key section on the configuration file that holds the scope value
+        /// </summary>
+        public string ScopeKeySection { get; set; }
+
         public override void OnException(ExceptionContext context)
         {
             MsalUiRequiredException msalUiRequiredException = context.Exception as MsalUiRequiredException;
@@ -37,8 +45,27 @@ public override void OnException(ExceptionContext context)
             {
                 if (CanBeSolvedByReSignInUser(msalUiRequiredException))
                 {
-                    var properties =
-                        BuildAuthenticationPropertiesForIncrementalConsent(Scopes, msalUiRequiredException, context.HttpContext);
+                    // the users cannot provide both scopes and ScopeKeySection at the same time
+                    if (!string.IsNullOrWhiteSpace(ScopeKeySection) && Scopes != null && Scopes.Length > 0)
+                    {
+                        throw new InvalidOperationException($"Either provide the '{nameof(ScopeKeySection)}' or the '{nameof(Scopes)}' to the 'MsalUiRequiredExceptionFilterAttribute'.");
+                    }
+
+                    // If the user wishes us to pick the Scopes from a particular config setting.
+                    if (!string.IsNullOrWhiteSpace(ScopeKeySection))
+                    {
+                        // Load the injected IConfiguration
+                        IConfiguration configuration = context.HttpContext.RequestServices.GetRequiredService<IConfiguration>();
+
+                        if (configuration == null)
+                        {
+                            throw new InvalidOperationException($"The {nameof(ScopeKeySection)} is provided but the IConfiguration instance is not present in the services collection");
+                        }
+
+                        Scopes = new string[] { configuration.GetValue<string>(ScopeKeySection) };
+                    }
+
+                    var properties = BuildAuthenticationPropertiesForIncrementalConsent(Scopes, msalUiRequiredException, context.HttpContext);
                     context.Result = new ChallengeResult(properties);
                 }
             }

Microsoft.Identity.Web/Client/TokenCacheProviders/Sql/MSALAppSqlTokenCacheProviderExtension.cs

@@ -114,4 +114,4 @@ public static IServiceCollection AddSqlPerUserTokenCache(this IServiceCollection
             return services;
         }
     }
-}
+}

Microsoft.Identity.Web/Microsoft.Identity.Web.csproj

@@ -8,6 +8,6 @@
     <PackageReference Include="Microsoft.AspNetCore.App" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.AzureAD.UI" Version="2.2.0" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.AzureADB2C.UI" Version="2.2.0" />
-    <PackageReference Include="Microsoft.Identity.Client" Version="4.2.1" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.3.1" />
   </ItemGroup>
 </Project>

Microsoft.Identity.Web/WebApiStartupHelpers.cs

@@ -83,7 +83,6 @@ public static IServiceCollection AddProtectWebApiWithMicrosoftIdentityPlatformV2
                 // be used from the controllers.
                 options.Events = new JwtBearerEvents();
 
-#pragma warning disable 1998
                 options.Events.OnTokenValidated = async context =>
                    {
                        // This check is required to ensure that the Web API only accepts tokens from tenants where it has been consented and provisioned.
@@ -93,9 +92,8 @@ public static IServiceCollection AddProtectWebApiWithMicrosoftIdentityPlatformV2
                            throw new UnauthorizedAccessException("Neither scope or roles claim was found in the bearer token.");
                        }
 
-                       return;
+                       await Task.FromResult(0);
                    };
-#pragma warning restore 1998
 
                 // If you want to debug, or just understand the JwtBearer events, uncomment the following line of code
                 // options.Events = JwtBearerMiddlewareDiagnostics.Subscribe(options.Events);