handle cae

Author: derisen

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/ClientApp/src/AuthProvider.js

@@ -15,16 +15,41 @@ const AuthProviderHOC = (C) =>
             await this.getAccount();
         }
 
-        login = () => {
-            window.location.replace('api/auth/login');
+        login = (postLoginRedirectUri, claimsChallenge) => {
+            let url = "api/auth/login";
+
+            const searchParams = new URLSearchParams({});
+
+            if (postLoginRedirectUri) {
+                searchParams.append('postLoginRedirectUri', encodeURIComponent(postLoginRedirectUri));
+            }
+
+            if (claimsChallenge) {
+                searchParams.append('claimsChallenge', JSON.stringify(claimsChallenge));
+            }
+
+            url = `${url}?${searchParams.toString()}`;
+
+            window.location.replace(url);
         }
 
-        logout = () =>{
+        logout = (postLogoutRedirectUri) => {
             this.setState({ isAuthenticated: false, account: null });
-            window.location.replace('api/auth/logout');
+
+            let url = "api/auth/login";
+
+            const searchParams = new URLSearchParams({});
+
+            if (postLogoutRedirectUri) {
+                searchParams.append('postLoginRedirectUri', encodeURIComponent(postLogoutRedirectUri));
+            }
+
+            url = `${url}?${searchParams.toString()}`;
+
+            window.location.replace(url);
         }
 
-        getAccount = async() => {
+        getAccount = async () => {
             const response = await fetch('api/auth/account');
             const data = await response.json();
 

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/ClientApp/src/components/FetchGraph.js

@@ -40,9 +40,13 @@ export class FetchGraph extends Component {
 
       if (response.ok) {
         const data = await response.json();
-        this.setState({ profile: data, loading: false }); 
+        this.setState({ profile: data, loading: false });
       } else if (response.status === 401) {
-        this.props.login();
+        if (response.body) {
+          const claims = await response.json();
+          this.props.login(window.location.href, claims);
+        }
+        this.props.login(window.location.href);
       }
     } catch (error) {
       console.log(error);

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/Controllers/AuthController.cs

@@ -1,21 +1,39 @@
 using System.Security.Claims;
+using System.Web;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using static Microsoft.Graph.Constants;
 
 namespace TodoListBFF.Controllers;
 
 [Route("api/[controller]")]
 public class AuthController : Controller
 {
     [HttpGet("login")]
-    public ActionResult Login()
+    public ActionResult Login(string? postLoginRedirectUri, string? claimsChallenge)
     {
-        return Challenge(new AuthenticationProperties { 
-            RedirectUri = "/"
-        });
+        string redirectUri = !string.IsNullOrEmpty(postLoginRedirectUri) ? HttpUtility
+            .UrlDecode(postLoginRedirectUri) : "/";
+
+        var props = new AuthenticationProperties { RedirectUri = redirectUri };
+
+        if (claimsChallenge != null)
+        {
+            string jsonString = claimsChallenge
+                .Replace("\\", "")
+                .Trim(new char[1] { '"' });
+
+            string? loginHint = (this.User.Identity as ClaimsIdentity)?.Claims
+                .FirstOrDefault(c => c.Type == "login_hint")?.Value;
+
+            props.Items["claims"] = jsonString;
+            props.Items["login_hint"] = loginHint;
+        }
+
+        return Challenge(props);
     }
 
     [Authorize]
@@ -24,15 +42,14 @@ public async Task<ActionResult> Logout()
     {
         await HttpContext.SignOutAsync();
 
+        var props = new AuthenticationProperties { RedirectUri = "/" };
+
         List<string> optionList = new List<string> { 
             CookieAuthenticationDefaults.AuthenticationScheme,
             OpenIdConnectDefaults.AuthenticationScheme 
         };
 
-        return new SignOutResult(optionList, new AuthenticationProperties
-        {
-            RedirectUri = "/"
-        });
+        return new SignOutResult(optionList, props);
     }
 
     [HttpGet("account")]

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/Controllers/ProfileController.cs

@@ -1,6 +1,7 @@
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.Identity.Client;
 using Microsoft.Identity.Web;
 using Microsoft.Graph;
 
@@ -25,18 +26,22 @@ public async Task<ActionResult<User>> GetProfile()
         {
             User profile = await _graphServiceClient.Me
                 .Request()
-                .WithScopes("user.read")
                 .GetAsync();
 
             return Ok(profile);
         }
-        catch (ServiceException svcex) when (svcex.InnerException != null && svcex.InnerException.Message.Contains("MsalUiRequiredException"))
+        catch (ServiceException svcex) 
+        when (svcex.InnerException is MicrosoftIdentityWebChallengeUserException)
         {
-            return Unauthorized("MsalUiRequiredException occurred. Please sign-in again.\n" + svcex.Message);
+            return Unauthorized("MicrosoftIdentityWebChallengeUserException occurred.\n" + svcex.Message);
         }
-        catch (ServiceException svcex) when (svcex.Message.Contains("Continuous access evaluation"))
+        catch (ServiceException svcex) 
+        when (svcex.Message.Contains("Continuous access evaluation"))
         {
-            return Unauthorized("Continuous access evaluation challenge occurred. Please sign-in again.\n" + svcex.Message);
+            string claimChallenge = WwwAuthenticateParameters
+                .GetClaimChallengeFromResponseHeaders(svcex.ResponseHeaders);
+
+            return Unauthorized(claimChallenge);
         }
         catch (Exception ex)
         {

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/Program.cs

@@ -23,6 +23,7 @@
     options.Cookie.HttpOnly = true;
     options.Cookie.IsEssential = true;
 
+    options.Events = new RespondUnauthorizedWhenSessionCookieNotFoundEvents();
     options.Events = new RejectSessionCookieWhenAccountNotInCacheEvents();
 });
 

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/Utils/RejectSessionCookieWhenAccountNotInCacheEvents.cs

@@ -9,12 +9,12 @@ public async override Task ValidatePrincipal(CookieValidatePrincipalContext cont
         try
         {
             var tokenAcquisition = context.HttpContext.RequestServices.GetRequiredService<ITokenAcquisition>();
+
             string token = await tokenAcquisition.GetAccessTokenForUserAsync(
                 scopes: new[] { "user.read" },
                 user: context.Principal);
         }
-        catch (MicrosoftIdentityWebChallengeUserException ex)
-           when (AccountDoesNotExitInTokenCache(ex))
+        catch (MicrosoftIdentityWebChallengeUserException ex) when (AccountDoesNotExitInTokenCache(ex))
         {
             context.RejectPrincipal();
         }

2-WebApp-graph-user/2-6-BFF-Proxy/CallGraphBFF/Utils/RespondUnauthorizedWhenSessionCookieNotFoundEvents.cs

@@ -0,0 +1,17 @@
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+
+internal class RespondUnauthorizedWhenSessionCookieNotFoundEvents : CookieAuthenticationEvents
+{
+    public override Task RedirectToLogin(RedirectContext<CookieAuthenticationOptions> context)
+    {
+        context.Response.StatusCode = 401;
+        return Task.CompletedTask;
+    }
+
+    public override Task RedirectToAccessDenied(RedirectContext<CookieAuthenticationOptions> context)
+    {
+        context.Response.StatusCode = 401;
+        return Task.CompletedTask;
+    }
+}