Minor Updates

Author: Shama-K

5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/AppCreationScripts.md

@@ -4,7 +4,7 @@
 
 ### Quick summary
 
-1. On Windows run PowerShell and navigate to the root of the cloned directory
+1. On Windows run PowerShell as **Administrator** and navigate to the root of the cloned directory
 1. In PowerShell run:
 
    ```PowerShell

5-WebApp-AuthZ/5-2-Groups/Controllers/AccountController.cs

@@ -0,0 +1,15 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace WebApp_OpenIDConnect_DotNet.Controllers
+{
+    public class AccountController : Controller
+    {
+        [Authorize]
+        public IActionResult SignOut()
+        {
+            HttpContext.Session.Clear();
+            return RedirectToAction("SignOut", "Account", new { area = "MicrosoftIdentity" });
+        }
+    }
+}

5-WebApp-AuthZ/5-2-Groups/Infrastructure/CustomAuthorization.cs

@@ -34,7 +34,6 @@ protected override Task HandleRequirementAsync(AuthorizationHandlerContext conte
             {
                 // Retrieves all the groups saved in Session.
                 var groups = _httpContextAccessor.HttpContext.Session.GetAsByteArray("groupClaims") as List<string>;
-                groups = null;
 
                 // Checks if required group exists in Session.
                 if (groups?.Count > 0 && groups.Contains(requirement.GroupName))

5-WebApp-AuthZ/5-2-Groups/Services/MicrosoftGraph-Rest/GraphHelper.cs

@@ -75,19 +75,25 @@ public static async Task<List<string>> GetSignedInUsersGroups(TokenValidatedCont
 
                                 if (identity != null)
                                 {
-                                    // Re-populate the `groups` claim with the complete list of groups fetched from MS Graph
-                                    foreach (Group group in allgroups)
+                                    // Checks if token is 'ID Token'. 
+                                    // ID Token does not contain 'aapid' or 'azp' claims.
+                                    // These claims exist for Access Token.
+                                    if (!identity.Claims.Any(x => x.Type == "appid" || x.Type == "azp"))
                                     {
-                                        // The following code adds group ids to the 'groups' claim. But depending upon your reequirement and the format of the 'groups' claim selected in
-                                        // the app registration, you might want to add other attributes than id to the `groups` claim, examples being;
+                                        // Re-populate the `groups` claim with the complete list of groups fetched from MS Graph
+                                        foreach (Group group in allgroups)
+                                        {
+                                            // The following code adds group ids to the 'groups' claim. But depending upon your reequirement and the format of the 'groups' claim selected in
+                                            // the app registration, you might want to add other attributes than id to the `groups` claim, examples being;
 
-                                        // For instance if the required format is 'NetBIOSDomain\sAMAccountName' then the code is as commented below:
-                                        // groupClaims.Add(group.OnPremisesNetBiosName+"\\"+group.OnPremisesSamAccountName));
-                                        groupClaims.Add(group.Id);
-                                    }
+                                            // For instance if the required format is 'NetBIOSDomain\sAMAccountName' then the code is as commented below:
+                                            // groupClaims.Add(group.OnPremisesNetBiosName+"\\"+group.OnPremisesSamAccountName));
+                                            groupClaims.Add(group.Id);
+                                        }
 
-                                    // Here we add the groups in a session variable that is used in authorization policy handler.
-                                    context.HttpContext.Session.SetAsByteArray("groupClaims", groupClaims);
+                                        // Here we add the groups in a session variable that is used in authorization policy handler.
+                                        context.HttpContext.Session.SetAsByteArray("groupClaims", groupClaims);
+                                    }
                                 }
                             }
                         }

5-WebApp-AuthZ/5-2-Groups/Startup.cs

@@ -49,10 +49,6 @@ public void ConfigureServices(IServiceCollection services)
                         //Calls method to process groups overage claim.
                         var groupClaims = await GraphHelper.GetSignedInUsersGroups(context);
                     };
-                    options.Events.OnSignedOutCallbackRedirect = async context =>
-                    {
-                        context.HttpContext.Session.Clear();
-                    };
                 }, options => { Configuration.Bind("AzureAd", options); })
                     .EnableTokenAcquisitionToCallDownstreamApi(options => Configuration.Bind("AzureAd", options), initialScopes)
                     .AddMicrosoftGraph(Configuration.GetSection("GraphAPI"))

5-WebApp-AuthZ/5-2-Groups/Views/Shared/_LoginPartial.cshtml

@@ -3,7 +3,7 @@
 {
     <ul class="nav navbar-nav navbar-right">
         <li>@Html.ActionLink(User.Identity.Name + "!", "Index", "UserProfile", routeValues: null)</li>
-        <li><a asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="SignOut">Sign out</a></li>
+        <li><a asp-controller="Account" asp-action="SignOut">Sign out</a></li>
     </ul>
 }
 else