Updated challenge from Web API and other minor updates

Author: Shama-K

4-WebApp-your-API/4-3-AnyOrg/Readme.md

@@ -256,7 +256,7 @@ When you start the Web API from Visual Studio, depending on the browser you use,
 
 This behavior is expected as you are not authenticated. The client application will be authenticated, so it will be able to access the Web API.
 
-Explore the sample by signing in into the TodoList client, adding items to the To Do list and assigning them to users. If you stop the application without signing out, the next time you run the application, you won't be prompted to sign in again.
+Explore the sample by signing in into the TodoList client, adding items to the To Do list and assigning them to users. After sign-in, you will see a link for `Admin Consent` that can be used to provide consent for by admin of a tenant to other users of the same tenant. If you stop the application without signing out, the next time you run the application, you won't be prompted to sign in again.
 
 > NOTE: Remember, the To-Do list is stored in memory in this `TodoListService` app. Each time you run the projects, your To-Do list will get emptied.
 
@@ -266,7 +266,9 @@ Explore the sample by signing in into the TodoList client, adding items to the T
 
 ### Code for the Web app (TodoListClient)
 
-In Startup.cs, below lines of code enables Microsoft identity platform endpoint. This endpoint is capable of signing-in users both with their Work and School and Microsoft Personal accounts.
+#### 
+
+In `Startup.cs`, below lines of code enables Microsoft identity platform endpoint. This endpoint is capable of signing-in users both with their Work and School and Microsoft Personal accounts.
 ```csharp
 services.AddSignIn(Configuration).
          AddWebAppCallsProtectedWebApi(Configuration, new string[] 
@@ -275,9 +277,81 @@ services.AddSignIn(Configuration).
 ```
 
 The following code injects the ToDoList service implementation in the client
+
 ```CSharp
 services.AddTodoListService(Configuration);
 ```
+
+#### Admin Consent
+
+In `TodoListController.cs`, the below method redirects to admin consent URI and an admin can consent on behalf of organization.
+
+```csharp
+public IActionResult AdminConsent()
+{
+
+    var tenantId = User.GetTenantId();
+
+    string adminConsent = "https://login.microsoftonline.com/" +
+               tenantId + "/v2.0/adminconsent?client_id=" + _ClientId
+               + "&redirect_uri=" + _RedirectUri + "&scope=" + _TodoListScope;
+    return Redirect(adminConsent);
+}
+```
+#### Handle MsalUiRequiredException from Web API
+
+ In `ToDoListService.cs`, below method is called when `MsalUiRequiredException` is thrown from Web API in the on-behalf of flow. It creates consent URI and throws `WebApiMsalUiRequiredException`.
+
+```csharp
+private void HandleChallengeFromWebApi(HttpResponseMessage response)
+{
+    //proposedAction="consent"
+    List<string> result = new List<string>(); 
+    AuthenticationHeaderValue bearer = response.Headers.WwwAuthenticate.First(v => v.Scheme == "Bearer");
+    IEnumerable<string> parameters = bearer.Parameter.Split(',').Select(v => v.Trim()).ToList();
+    string proposedAction = GetParameter(parameters, "proposedAction");
+
+    if (proposedAction == "consent")
+    {
+        string consentUri = GetParameter(parameters, "consentUri");
+
+        var uri = new Uri(consentUri);
+
+        var queryString = System.Web.HttpUtility.ParseQueryString(uri.Query);
+        queryString.Set("client_id", _ClientId);
+        queryString.Set("redirect_uri", _RedirectUri);
+        queryString.Set("scope", _TodoListScope);
+        queryString.Add("prompt", "consent");
+
+        var uriBuilder = new UriBuilder(uri);
+        uriBuilder.Query = queryString.ToString();
+        var updateConsentUri = uriBuilder.Uri.ToString();
+        result.Add("consentUri");
+        result.Add(updateConsentUri);
+
+        throw new WebApiMsalUiRequiredException(updateConsentUri);
+    }
+}
+```
+
+The following code in `ToDoListController.cs` catches the `WebApiMsalUiRequiredException` exception and redirects to consent Uri.
+
+```csharp
+public async Task<IActionResult> Create()
+{
+    ToDoItem todo = new ToDoItem();
+    try
+    {
+        ...
+    }
+    catch (WebApiMsalUiRequiredException ex)
+    {
+        var a = ex.Message;
+        return Redirect(ex.Message);
+    }
+}
+```
+
 ### Code for the Web API (TodoListService)
 
 #### Choosing which scopes to expose

4-WebApp-your-API/4-3-AnyOrg/ToDoListClient/Controllers/ToDoListController.cs

@@ -12,18 +12,27 @@
 using Microsoft.Identity.Web;
 using ToDoListClient.Models;
 using ToDoListClient.Services;
+using ToDoListClient.Utils;
 
 namespace ToDoListClient.Controllers
 {
     [Authorize]
     public class ToDoListController : Controller
     {
         private IToDoListService _todoListService;
+        private readonly string _TodoListScope = string.Empty;
+        private readonly string _ClientId = string.Empty;
+        private readonly string _RedirectUri = string.Empty;
 
-        public ToDoListController(IToDoListService todoListService)
+        public ToDoListController(IToDoListService todoListService, IConfiguration configuration)
         {
             _todoListService = todoListService;
+            _TodoListScope = configuration["TodoList:TodoListScope"];
+            _ClientId = configuration["AzureAd:ClientId"];
+            _RedirectUri = configuration["RedirectUri"];
         }
+
+        [AuthorizeForScopes(ScopeKeySection = "TodoList:TodoListScope")]
         // GET: TodoList
         public async Task<ActionResult> Index()
         {
@@ -35,14 +44,23 @@ public async Task<ActionResult> Index()
         public async Task<IActionResult> Create()
         {
             ToDoItem todo = new ToDoItem();
-            TempData["UsersDropDown"] = (await _todoListService.GetAllUsersAsync())
+            try
+            {
+                List<string> result = (await _todoListService.GetAllUsersAsync()).ToList();
+
+                TempData["UsersDropDown"] = result
                 .Select(u => new SelectListItem
                 {
                     Text = u
                 }).ToList();
-            return View(todo);
+                return View(todo);
+            }
+            catch (WebApiMsalUiRequiredException ex)
+            {
+                var a = ex.Message;
+                return Redirect(ex.Message);
+            }
         }
-
         // POST: TodoList/Create
         [HttpPost]
         [ValidateAntiForgeryToken]
@@ -98,11 +116,11 @@ public async Task<ActionResult> Delete(int id, [Bind("Id,Title,Owner")] ToDoItem
 
         public IActionResult AdminConsent()
         {
-            string redirectUrl = Request.Scheme + Uri.SchemeDelimiter + Request.Host.Value;
-            var tenantId = User.Claims.First(x => x.Type == "http://schemas.microsoft.com/identity/claims/tenantid" || x.Type=="tid").Value;
-          
-            string adminConsent = _todoListService.GetAdminConsentEndpoint(tenantId, redirectUrl);
-            
+            var tenantId = User.GetTenantId();
+
+            string adminConsent = "https://login.microsoftonline.com/" +
+                       tenantId + "/v2.0/adminconsent?client_id=" + _ClientId
+                       + "&redirect_uri=" + _RedirectUri + "&scope=" + _TodoListScope;
             return Redirect(adminConsent);
         }
     }

4-WebApp-your-API/4-3-AnyOrg/ToDoListClient/Services/IToDoListService.cs

@@ -18,6 +18,5 @@ public interface IToDoListService
         Task<ToDoItem> AddAsync(ToDoItem todo);
 
         Task<ToDoItem> EditAsync(ToDoItem todo);
-        string GetAdminConsentEndpoint(string tenantId, string redirectUrl);
     }
 }

4-WebApp-your-API/4-3-AnyOrg/ToDoListClient/Services/ToDoListService.cs

@@ -5,6 +5,7 @@
 using Microsoft.Graph;
 using Microsoft.Identity.Web;
 using Newtonsoft.Json;
+using System;
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.Linq;
@@ -15,6 +16,7 @@
 using System.Text;
 using System.Threading.Tasks;
 using ToDoListClient.Models;
+using ToDoListClient.Utils;
 
 namespace ToDoListClient.Services
 {
@@ -33,8 +35,8 @@ public class ToDoListService : IToDoListService
         private readonly string _TodoListScope = string.Empty;
         private readonly string _TodoListBaseAddress = string.Empty;
         private readonly string _ClientId = string.Empty;
+        private readonly string _RedirectUri = string.Empty;
         private readonly ITokenAcquisition _tokenAcquisition;
-        //private readonly IConfiguration _configuration;
 
         public ToDoListService(ITokenAcquisition tokenAcquisition, HttpClient httpClient, IConfiguration configuration, IHttpContextAccessor contextAccessor)
         {
@@ -44,6 +46,7 @@ public ToDoListService(ITokenAcquisition tokenAcquisition, HttpClient httpClient
             _TodoListScope = configuration["TodoList:TodoListScope"];
             _TodoListBaseAddress = configuration["TodoList:TodoListBaseAddress"];
             _ClientId = configuration["AzureAd:ClientId"];
+            _RedirectUri = configuration["RedirectUri"];
         }
         public async Task<ToDoItem> AddAsync(ToDoItem todo)
         {
@@ -122,15 +125,13 @@ public async Task<IEnumerable<string>> GetAllUsersAsync()
 
                 return Users;
             }
+            else if (response.StatusCode == HttpStatusCode.Unauthorized)
+            {
+                 HandleChallengeFromWebApi(response);
+            }
+
             throw new HttpRequestException($"Invalid status code in the HttpResponseMessage: {response.StatusCode}.");
         }
-        private async Task PrepareAuthenticatedClient()
-        {
-            var accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(new[] { _TodoListScope });
-            Debug.WriteLine($"access token-{accessToken}");
-            _httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
-            _httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
-        }
 
         public async Task<ToDoItem> GetAsync(int id)
         {
@@ -146,12 +147,52 @@ public async Task<ToDoItem> GetAsync(int id)
 
             throw new HttpRequestException($"Invalid status code in the HttpResponseMessage: {response.StatusCode}.");
         }
-        public string GetAdminConsentEndpoint(string tenantId, string redirectUrl)
+
+        private async Task PrepareAuthenticatedClient()
+        {
+            var accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(new[] { _TodoListScope });
+            Debug.WriteLine($"access token-{accessToken}");
+            _httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
+            _httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
+        }
+
+        private void HandleChallengeFromWebApi(HttpResponseMessage response)
+        {
+            //proposedAction="consent"
+            List<string> result = new List<string>();
+            AuthenticationHeaderValue bearer = response.Headers.WwwAuthenticate.First(v => v.Scheme == "Bearer");
+            IEnumerable<string> parameters = bearer.Parameter.Split(',').Select(v => v.Trim()).ToList();
+            string proposedAction = GetParameter(parameters, "proposedAction");
+
+            if (proposedAction == "consent")
+            {
+                string consentUri = GetParameter(parameters, "consentUri");
+
+                var uri = new Uri(consentUri);
+
+                //Set values of query string parameters
+                var queryString = System.Web.HttpUtility.ParseQueryString(uri.Query);
+                queryString.Set("client_id", _ClientId);
+                queryString.Set("redirect_uri", _RedirectUri);
+                queryString.Set("scope", _TodoListScope);
+                queryString.Add("prompt", "consent");
+
+                //Update values in consent Uri
+                var uriBuilder = new UriBuilder(uri);
+                uriBuilder.Query = queryString.ToString();
+                var updateConsentUri = uriBuilder.Uri.ToString();
+                result.Add("consentUri");
+                result.Add(updateConsentUri);
+
+                //throw custom exception
+                throw new WebApiMsalUiRequiredException(updateConsentUri);
+            }
+        }
+
+        private static string GetParameter(IEnumerable<string> parameters, string parameterName)
         {
-            string adminConsent = "https://login.microsoftonline.com/" +
-                       tenantId + "/v2.0/adminconsent?client_id="+ _ClientId
-                       + "&redirect_uri="+ redirectUrl + "&scope="+_TodoListScope;
-            return adminConsent;
+            int offset = parameterName.Length + 1;
+            return parameters.FirstOrDefault(p => p.StartsWith($"{parameterName}="))?.Substring(offset)?.Trim('"');
         }
     }
 }

4-WebApp-your-API/4-3-AnyOrg/ToDoListClient/Utils/WebApiMsalUiRequiredException.cs

@@ -0,0 +1,12 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+namespace ToDoListClient.Utils
+{
+    public class WebApiMsalUiRequiredException:Exception
+    {
+        public WebApiMsalUiRequiredException(string message) : base(message) { }
+    }
+}

4-WebApp-your-API/4-3-AnyOrg/TodoListService/Controllers/TodoListController.cs

@@ -70,14 +70,19 @@ public async Task<ActionResult<TodoItem>> GetTodoItem(int id)
         public async Task<ActionResult<IEnumerable<string>>> GetAllUsers()
         {
             HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
-
-            List<string> Users = await CallGraphApiOnBehalfOfUser();
-            if (Users == null)
+            try
             {
-                return NotFound();
+                List<string> Users = await CallGraphApiOnBehalfOfUser();
+                return Users;
+            }
+            catch (MsalUiRequiredException ex)
+            {
+                HttpContext.Response.ContentType = "text/plain";
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
+                await HttpContext.Response.WriteAsync("An authentication error occurred while acquiring a token for downstream API\n" + ex.ErrorCode + "\n" + ex.Message);
             }
 
-            return Users;
+            return null;
         }
         // PUT: api/TodoItems/5
         // To protect from overposting attacks, please enable the specific properties you want to bind to, for