review changes

Author: derisen

2-WebApp-graph-user/2-6-BFF-Proxy/AppCreationScripts/AppCreationScripts.md

@@ -15,14 +15,14 @@
 
 - [Goal of the provided scripts](#goal-of-the-provided-scripts)
   - [Presentation of the scripts](#presentation-of-the-scripts)
-  - [Usage pattern for tests and DevOps scenarios](#usage-pattern-for-tests-and-DevOps-scenarios)
+  - [Usage pattern for tests and DevOps scenarios](#usage-pattern-for-tests-and-devops-scenarios)
 - [How to use the app creation scripts?](#how-to-use-the-app-creation-scripts)
   - [Pre-requisites](#pre-requisites)
   - [Run the script and start running](#run-the-script-and-start-running)
-  - [Four ways to run the script](#four-ways-to-run-the-script)
+  - [Two ways to run the script](#two-ways-to-run-the-script)
     - [Option 1 (interactive)](#option-1-interactive)
-    - [Option 2 (Interactive, but create apps in a specified tenant)](#option-3-Interactive-but-create-apps-in-a-specified-tenant)
-  - [Running the script on Azure Sovereign clouds](#running-the-script-on-Azure-Sovereign-clouds)
+    - [Option 2 (Interactive, but create apps in a specified tenant)](#option-2-Interactive-but-create-apps-in-a-specified-tenant)
+  - [Running the script on Azure Sovereign clouds](#running-the-script-on-azure-sovereign-clouds)
 
 ## Goal of the provided scripts
 
@@ -52,7 +52,7 @@ The `Configure.ps1` will stop if it tries to create an Azure AD application whic
 
 ### Pre-requisites
 
-1. PowerShell 7 or later (see: [installing PowerShell](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell))
+1. PowerShell 7 or later (see: [installing PowerShell](https://learn.microsoft.com/powershell/scripting/install/installing-powershell))
 1. Open PowerShell (On Windows, press  `Windows-R` and type `PowerShell` in the search window)
 
 ### (Optionally) install Microsoft.Graph.Applications PowerShell modules
@@ -82,7 +82,7 @@ The scripts install the required PowerShell module (Microsoft.Graph.Applications
     cd AppCreationScripts
     ```
 
-1. Run the scripts. See below for the [four options](#four-ways-to-run-the-script) to do that.
+1. Run the scripts. See below for the [two options](#two-ways-to-run-the-script) to do that.
 1. Open the Visual Studio solution, and in the solution's context menu, choose **Set Startup Projects**.
 1. select **Start** for the projects
 

2-WebApp-graph-user/2-6-BFF-Proxy/AppCreationScripts/Configure-WithCertificates.ps1

@@ -236,7 +236,7 @@ Function ConfigureApplications
     $owner = Get-MgApplicationOwner -ApplicationId $currentAppObjectId
     if ($owner -eq $null)
     { 
-        New-MgApplicationOwnerByRef -ApplicationId $currentAppObjectId  -BodyParameter = @{"@odata.id" = "htps://graph.microsoft.com/v1.0/directoryObjects/$user.ObjectId"}
+        New-MgApplicationOwnerByRef -ApplicationId $currentAppObjectId  -BodyParameter @{"@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$user.ObjectId"}
         Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($clientServicePrincipal.DisplayName)'"
     }
 
@@ -284,7 +284,7 @@ Function ConfigureApplications
     # $configFile = $pwd.Path + "\..\CallGraphBFF\appsettings.json"
     $configFile = $(Resolve-Path ($pwd.Path + "\..\CallGraphBFF\appsettings.json"))
 
-    $dictionary = @{ "TenantId" = $tenantId;"ClientId" = $clientAadApplication.AppId;"ClientSecret" = $pwdCredential.SecretText };
+    $dictionary = @{ "TenantId" = $tenantId;"ClientId" = $clientAadApplication.AppId;"ClientSecret" = $clientAppKey };
 
     Write-Host "Updating the sample config '$configFile' with the following config values:" -ForegroundColor Yellow 
     $dictionary

2-WebApp-graph-user/2-6-BFF-Proxy/AppCreationScripts/Configure.ps1

@@ -218,7 +218,7 @@ Function ConfigureApplications
     $owner = Get-MgApplicationOwner -ApplicationId $currentAppObjectId
     if ($owner -eq $null)
     { 
-        New-MgApplicationOwnerByRef -ApplicationId $currentAppObjectId  -BodyParameter = @{"@odata.id" = "htps://graph.microsoft.com/v1.0/directoryObjects/$user.ObjectId"}
+        New-MgApplicationOwnerByRef -ApplicationId $currentAppObjectId  -BodyParameter @{"@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$user.ObjectId"}
         Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($clientServicePrincipal.DisplayName)'"
     }
 
@@ -266,7 +266,7 @@ Function ConfigureApplications
     # $configFile = $pwd.Path + "\..\CallGraphBFF\appsettings.json"
     $configFile = $(Resolve-Path ($pwd.Path + "\..\CallGraphBFF\appsettings.json"))
 
-    $dictionary = @{ "TenantId" = $tenantId;"ClientId" = $clientAadApplication.AppId;"ClientSecret" = $pwdCredential.SecretText };
+    $dictionary = @{ "TenantId" = $tenantId;"ClientId" = $clientAadApplication.AppId;"ClientSecret" = $clientAppKey };
 
     Write-Host "Updating the sample config '$configFile' with the following config values:" -ForegroundColor Yellow 
     $dictionary

2-WebApp-graph-user/2-6-BFF-Proxy/AppCreationScripts/sample.json

@@ -61,7 +61,7 @@
                 },
                 {
                     "key": "ClientSecret",
-                    "value": "$pwdCredential.SecretText"
+                    "value": ".AppKey"
                 }
             ]
         }

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/Program.cs

@@ -38,9 +38,6 @@
     options.Events = new CustomCookieAuthenticationEvents(); // modifies the behavior of certain cookie authentication events.
 });
 
-builder.Services.AddControllersWithViews()
-    .AddMicrosoftIdentityUI();
-
 var app = builder.Build();
 
 // Configure the HTTP request pipeline.

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/appsettings.json

@@ -3,15 +3,20 @@
     "Instance": "https://login.microsoftonline.com/",
     "TenantId": "[Enter 'common', or 'organizations' or the Tenant Id (obtained from the Azure portal. Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs), e.g. da41245a5-11b3-996c-00a8-4d99re19f292]",
     "ClientId": "[Enter the Client Id (Application ID obtained from the Azure portal), e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]",
-    "ClientSecret": "[Copy the client secret added to the app from the Azure portal]",
-    //"ClientCertificates": [
-    //  {
-    //    "SourceType": "StoreWithDistinguishedName",
-    //    "CertificateStorePath": "CurrentUser/My",
-    //    "CertificateDistinguishedName": "CN=CallGraphBFF"
-    //  }
-    //],
-    "ClientCapabilities": [ "CP1" ],
+    "ClientCredentials": [
+      {
+        "SourceType": "ClientSecret",
+        "ClientSecret": "[Copy the client secret added to the app from the Azure portal]"
+      },
+      //  {
+      //    "SourceType": "StoreWithDistinguishedName",
+      //    "CertificateStorePath": "CurrentUser/My",
+      //    "CertificateDistinguishedName": "CN=CallGraphBFF"
+      //  }
+    ],
+    "ClientCapabilities": [
+      "CP1"
+    ],
     "CallbackPath": "/api/auth/signin-oidc",
     "SignedOutCallbackPath": "/api/auth/signout-oidc"
   },

2-WebApp-graph-user/2-6-BFF-Proxy/README-use-certificate.md

@@ -9,7 +9,7 @@ In production, you should purchase a certificate signed by a well-known certific
 
 <details>
 <summary>:information_source: Expand this to use automation</summary>
- 
+
 1. While inside *AppCreationScripts* folder, open a terminal.
 
 2. Run the [Cleanup-withCertCertificates.ps1](./Cleanup-withCertCertificates.ps1) script to delete any existing app registrations and certificates for the sample.

2-WebApp-graph-user/2-6-BFF-Proxy/README.md

@@ -35,7 +35,7 @@ extensions:
 
 ## Overview
 
-This sample demonstrates a React single-page application (SPA) with an ASP.NET Core backend that authenticates users and calls the Microsoft Graph API using the backend for frontend (BFF) proxy architecture. In this architecture, access tokens are retrieved and stored within the secure backend context, and the client side JavaScript application, which is served by the ASP.NET web app, is only indirectly involved in the authN/authZ process by routing the token and API requests to the backend. The trust between the frontend and backend is established via a secure cookie upon successful sign-in.
+This sample demonstrates a React single-page application (SPA) with an ASP.NET Core backend that authenticates users and calls the Microsoft Graph API using the [backend for frontend (BFF) proxy architecture](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-13). In this architecture, access tokens are retrieved and stored within the secure backend context, and the client side JavaScript application, which is served by the ASP.NET web app, is only indirectly involved in the authN/authZ process by routing the token and API requests to the backend. The trust between the frontend and backend is established via a secure cookie upon successful sign-in.
 
 > :information_source: To learn how applications integrate with [Microsoft Graph](https://aka.ms/graph), consider going through the recorded session: [An introduction to Microsoft Graph for developers](https://www.youtube.com/watch?v=EBbnpFdB92A)
 
@@ -46,7 +46,21 @@ This sample demonstrates a React single-page application (SPA) with an ASP.NET C
 1. ASP.NET Core web app uses the **access token** as a *bearer* token to authorize the user to call the Microsoft Graph API protected by **Azure AD**.
 1. ASP.NET Core web app returns the Microsoft Graph `/me` endpoint response back to the React SPA.
 
-![Scenario Image](./ReadmeFiles/sequence.png)
+```mermaid
+sequenceDiagram
+    participant Frontend
+    participant Backend
+    participant Azure AD
+    participant Graph
+    Frontend-)+Backend: /login
+    Backend-)+Azure AD: login.microsoftonline.com
+    Azure AD--)-Backend: token response
+    Backend--)-Frontend: /login response (auth state)
+    Frontend-)+Backend: /profile
+    Backend-)+Graph: graph.microsoft.com/v1.0/me
+    Graph--)-Backend: /me endpoint response
+    Backend--)-Frontend: /profile response (/me data)
+```
 
 ## Prerequisites